Blame SOURCES/shadow-4.6-audit-update.patch

5ab9c0
diff -up shadow-4.6/libmisc/audit_help.c.audit-update shadow-4.6/libmisc/audit_help.c
5ab9c0
--- shadow-4.6/libmisc/audit_help.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/libmisc/audit_help.c	2018-05-28 15:01:09.913717564 +0200
5ab9c0
@@ -68,7 +68,7 @@ void audit_help_open (void)
5ab9c0
  * This function will log a message to the audit system using a predefined
5ab9c0
  * message format. Parameter usage is as follows:
5ab9c0
  *
5ab9c0
- * type - type of message: AUDIT_USER_CHAUTHTOK for changing any account 
5ab9c0
+ * type - type of message: AUDIT_USER_MGMT for changing any account 
5ab9c0
  *	  attributes.
5ab9c0
  * pgname - program's name
5ab9c0
  * op  -  operation. "adding user", "changing finger info", "deleting group"
5ab9c0
@@ -88,6 +88,39 @@ void audit_logger (int type, unused cons
5ab9c0
 	}
5ab9c0
 }
5ab9c0
 
5ab9c0
+/*
5ab9c0
+ * This function will log a message to the audit system using a predefined
5ab9c0
+ * message format. Parameter usage is as follows:
5ab9c0
+ *
5ab9c0
+ * type - type of message: AUDIT_USER_MGMT for changing any account 
5ab9c0
+ *	  attributes.
5ab9c0
+ * pgname - program's name
5ab9c0
+ * op  -  operation. "adding user", "changing finger info", "deleting group"
5ab9c0
+ * name - user's account or group name. If not available use NULL.
5ab9c0
+ * id  -  uid or gid that the operation is being performed on. This is used
5ab9c0
+ *	  only when user is NULL.
5ab9c0
+ * grp - group name associated with event
5ab9c0
+ */
5ab9c0
+void audit_logger_with_group (int type, unused const char *pgname,
5ab9c0
+		const char *op, const char *name, unsigned int id,
5ab9c0
+		const char *grp, shadow_audit_result result)
5ab9c0
+{
5ab9c0
+	int len;
5ab9c0
+	char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1], buf[1024];
5ab9c0
+	if (audit_fd < 0) {
5ab9c0
+		return;
5ab9c0
+	}
5ab9c0
+	len = strnlen(grp, sizeof(enc_group)/2);
5ab9c0
+	if (audit_value_needs_encoding(grp, len)) {
5ab9c0
+		snprintf(buf, sizeof(buf), "%s grp=%s", op,
5ab9c0
+			audit_encode_value(enc_group, grp, len));
5ab9c0
+	} else {
5ab9c0
+		snprintf(buf, sizeof(buf), "%s grp=\"%s\"", op, grp);
5ab9c0
+	}
5ab9c0
+	audit_log_acct_message (audit_fd, type, NULL, buf, name, id,
5ab9c0
+		                        NULL, NULL, NULL, (int) result);
5ab9c0
+}
5ab9c0
+
5ab9c0
 void audit_logger_message (const char *message, shadow_audit_result result)
5ab9c0
 {
5ab9c0
 	if (audit_fd < 0) {
5ab9c0
diff -up shadow-4.6/libmisc/cleanup_group.c.audit-update shadow-4.6/libmisc/cleanup_group.c
5ab9c0
--- shadow-4.6/libmisc/cleanup_group.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/libmisc/cleanup_group.c	2018-05-28 15:01:09.913717564 +0200
5ab9c0
@@ -83,7 +83,7 @@ void cleanup_report_mod_group (void *cle
5ab9c0
 	         gr_dbname (),
5ab9c0
 	         info->action));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
 	              info->audit_msg,
5ab9c0
 	              info->name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
@@ -101,7 +101,7 @@ void cleanup_report_mod_gshadow (void *c
5ab9c0
 	         sgr_dbname (),
5ab9c0
 	         info->action));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
 	              info->audit_msg,
5ab9c0
 	              info->name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
@@ -122,7 +122,7 @@ void cleanup_report_add_group_group (voi
5ab9c0
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, gr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "adding group to /etc/group",
5ab9c0
+	              "adding-group",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -141,8 +141,8 @@ void cleanup_report_add_group_gshadow (v
5ab9c0
 
5ab9c0
 	SYSLOG ((LOG_ERR, "failed to add group %s to %s", name, sgr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "adding group to /etc/gshadow",
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
+	              "adding-shadow-group",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -164,8 +164,8 @@ void cleanup_report_del_group_group (voi
5ab9c0
 	         "failed to remove group %s from %s",
5ab9c0
 	         name, gr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "removing group from /etc/group",
5ab9c0
+	audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
+	              "removing-group",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -187,8 +187,8 @@ void cleanup_report_del_group_gshadow (v
5ab9c0
 	         "failed to remove group %s from %s",
5ab9c0
 	         name, sgr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "removing group from /etc/gshadow",
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
+	              "removing-shadow-group",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -208,7 +208,7 @@ void cleanup_unlock_group (unused void *
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger_message ("unlocking group file",
5ab9c0
+		audit_logger_message ("unlocking-group",
5ab9c0
 		                      SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
@@ -228,7 +228,7 @@ void cleanup_unlock_gshadow (unused void
5ab9c0
 		         Prog, sgr_dbname ());
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger_message ("unlocking gshadow file",
5ab9c0
+		audit_logger_message ("unlocking-gshadow",
5ab9c0
 		                      SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
diff -up shadow-4.6/libmisc/cleanup_user.c.audit-update shadow-4.6/libmisc/cleanup_user.c
5ab9c0
--- shadow-4.6/libmisc/cleanup_user.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/libmisc/cleanup_user.c	2018-05-28 15:01:09.913717564 +0200
5ab9c0
@@ -65,7 +65,7 @@ void cleanup_report_mod_passwd (void *cl
5ab9c0
 	         pw_dbname (),
5ab9c0
 	         info->action));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+	audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
 	              info->audit_msg,
5ab9c0
 	              info->name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
@@ -86,7 +86,7 @@ void cleanup_report_add_user_passwd (voi
5ab9c0
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, pw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-	              "adding user to /etc/passwd",
5ab9c0
+	              "adding-user",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -105,8 +105,8 @@ void cleanup_report_add_user_shadow (voi
5ab9c0
 
5ab9c0
 	SYSLOG ((LOG_ERR, "failed to add user %s to %s", name, spw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-	              "adding user to /etc/shadow",
5ab9c0
+	audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+	              "adding-shadow-user",
5ab9c0
 	              name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -125,7 +125,7 @@ void cleanup_unlock_passwd (unused void
5ab9c0
 		         Prog, pw_dbname ());
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger_message ("unlocking passwd file",
5ab9c0
+		audit_logger_message ("unlocking-passwd",
5ab9c0
 		                      SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
@@ -144,7 +144,7 @@ void cleanup_unlock_shadow (unused void
5ab9c0
 		         Prog, spw_dbname ());
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger_message ("unlocking shadow file",
5ab9c0
+		audit_logger_message ("unlocking-shadow",
5ab9c0
 		                      SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
diff -up shadow-4.6/lib/prototypes.h.audit-update shadow-4.6/lib/prototypes.h
5ab9c0
--- shadow-4.6/lib/prototypes.h.audit-update	2018-05-28 15:01:09.901717309 +0200
5ab9c0
+++ shadow-4.6/lib/prototypes.h	2018-05-28 15:01:09.913717564 +0200
5ab9c0
@@ -211,12 +211,21 @@ extern int audit_fd;
5ab9c0
 extern void audit_help_open (void);
5ab9c0
 /* Use AUDIT_NO_ID when a name is provided to audit_logger instead of an ID */
5ab9c0
 #define AUDIT_NO_ID	((unsigned int) -1)
5ab9c0
+#ifndef AUDIT_GRP_MGMT
5ab9c0
+#define AUDIT_GRP_MGMT          1132    /* Group account was modified */
5ab9c0
+#endif
5ab9c0
+#ifndef AUDIT_GRP_CHAUTHTOK
5ab9c0
+#define AUDIT_GRP_CHAUTHTOK     1133    /* Group account password was changed */
5ab9c0
+#endif
5ab9c0
 typedef enum {
5ab9c0
 	SHADOW_AUDIT_FAILURE = 0,
5ab9c0
 	SHADOW_AUDIT_SUCCESS = 1} shadow_audit_result;
5ab9c0
 extern void audit_logger (int type, const char *pgname, const char *op,
5ab9c0
                           const char *name, unsigned int id,
5ab9c0
                           shadow_audit_result result);
5ab9c0
+void audit_logger_with_group (int type, unused const char *pgname,
5ab9c0
+                const char *op, const char *name, unsigned int id, 
5ab9c0
+                const char *grp, shadow_audit_result result);
5ab9c0
 void audit_logger_message (const char *message, shadow_audit_result result);
5ab9c0
 #endif
5ab9c0
 
5ab9c0
diff -up shadow-4.6/src/gpasswd.c.audit-update shadow-4.6/src/gpasswd.c
5ab9c0
--- shadow-4.6/src/gpasswd.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/gpasswd.c	2018-05-28 15:01:09.914717585 +0200
5ab9c0
@@ -137,7 +137,7 @@ static void usage (int status)
5ab9c0
 	(void) fputs (_("  -d, --delete USER             remove USER from GROUP\n"), usageout);
5ab9c0
 	(void) fputs (_("  -h, --help                    display this help message and exit\n"), usageout);
5ab9c0
 	(void) fputs (_("  -Q, --root CHROOT_DIR         directory to chroot into\n"), usageout);
5ab9c0
-	(void) fputs (_("  -r, --remove-password         remove the GROUP's password\n"), usageout);
5ab9c0
+	(void) fputs (_("  -r, --delete-password         remove the GROUP's password\n"), usageout);
5ab9c0
 	(void) fputs (_("  -R, --restrict                restrict access to GROUP to its members\n"), usageout);
5ab9c0
 	(void) fputs (_("  -M, --members USER,...        set the list of members of GROUP\n"), usageout);
5ab9c0
 #ifdef SHADOWGRP
5ab9c0
@@ -396,21 +396,14 @@ static void open_files (void)
5ab9c0
 
5ab9c0
 static void log_gpasswd_failure (const char *suffix)
5ab9c0
 {
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-	char buf[1024];
5ab9c0
-#endif
5ab9c0
 	if (aflg) {
5ab9c0
 		SYSLOG ((LOG_ERR,
5ab9c0
 		         "%s failed to add user %s to group %s%s",
5ab9c0
 		         myname, user, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "%s failed to add user %s to group %s%s",
5ab9c0
-		          myname, user, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "add-user-to-group",
5ab9c0
+		              user, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	} else if (dflg) {
5ab9c0
@@ -418,13 +411,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 		         "%s failed to remove user %s from group %s%s",
5ab9c0
 		         myname, user, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "%s failed to remove user %s from group %s%s",
5ab9c0
-		          myname, user, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "delete-user-from-group",
5ab9c0
+		              user, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	} else if (rflg) {
5ab9c0
@@ -432,13 +421,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 		         "%s failed to remove password of group %s%s",
5ab9c0
 		         myname, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "%s failed to remove password of group %s%s",
5ab9c0
-		          myname, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
5ab9c0
+		              "delete-group-password",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	} else if (Rflg) {
5ab9c0
@@ -446,13 +431,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 		         "%s failed to restrict access to group %s%s",
5ab9c0
 		         myname, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "%s failed to restrict access to group %s%s",
5ab9c0
-		          myname, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+		              "restrict-group",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	} else if (Aflg || Mflg) {
5ab9c0
@@ -462,13 +443,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 			         "%s failed to set the administrators of group %s to %s%s",
5ab9c0
 			         myname, group, admins, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			snprintf (buf, 1023,
5ab9c0
-			          "%s failed to set the administrators of group %s to %s%s",
5ab9c0
-			          myname, group, admins, suffix);
5ab9c0
-			buf[1023] = '\0';
5ab9c0
-			audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-			              buf,
5ab9c0
-			              group, AUDIT_NO_ID,
5ab9c0
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+			              "set-admins-of-group",
5ab9c0
+			              admins, AUDIT_NO_ID, group,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		}
5ab9c0
@@ -478,13 +455,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 			         "%s failed to set the members of group %s to %s%s",
5ab9c0
 			         myname, group, members, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			snprintf (buf, 1023,
5ab9c0
-			          "%s failed to set the members of group %s to %s%s",
5ab9c0
-			          myname, group, members, suffix);
5ab9c0
-			buf[1023] = '\0';
5ab9c0
-			audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-			              buf,
5ab9c0
-			              group, AUDIT_NO_ID,
5ab9c0
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "add-users-to-group",
5ab9c0
+			              members, AUDIT_NO_ID, group,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		}
5ab9c0
@@ -493,13 +466,9 @@ static void log_gpasswd_failure (const c
5ab9c0
 		         "%s failed to change password of group %s%s",
5ab9c0
 		         myname, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "%s failed to change password of group %s%s",
5ab9c0
-		          myname, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
5ab9c0
+		              "change-password",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
@@ -530,21 +499,14 @@ static void log_gpasswd_failure_gshadow
5ab9c0
 
5ab9c0
 static void log_gpasswd_success (const char *suffix)
5ab9c0
 {
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-	char buf[1024];
5ab9c0
-#endif
5ab9c0
 	if (aflg) {
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
 		         "user %s added by %s to group %s%s",
5ab9c0
 		         user, myname, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "user %s added by %s to group %s%s",
5ab9c0
-		          user, myname, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "add-user-to-group",
5ab9c0
+		              user, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	} else if (dflg) {
5ab9c0
@@ -552,13 +514,9 @@ static void log_gpasswd_success (const c
5ab9c0
 		         "user %s removed by %s from group %s%s",
5ab9c0
 		         user, myname, group, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "user %s removed by %s from group %s%s",
5ab9c0
-		          user, myname, group, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "delete-user-from-group",
5ab9c0
+		              user, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	} else if (rflg) {
5ab9c0
@@ -566,13 +524,9 @@ static void log_gpasswd_success (const c
5ab9c0
 		         "password of group %s removed by %s%s",
5ab9c0
 		         group, myname, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "password of group %s removed by %s%s",
5ab9c0
-		          group, myname, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
5ab9c0
+		              "delete-group-password",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	} else if (Rflg) {
5ab9c0
@@ -580,13 +534,9 @@ static void log_gpasswd_success (const c
5ab9c0
 		         "access to group %s restricted by %s%s",
5ab9c0
 		         group, myname, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "access to group %s restricted by %s%s",
5ab9c0
-		          group, myname, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+		              "restrict-group",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	} else if (Aflg || Mflg) {
5ab9c0
@@ -596,13 +546,9 @@ static void log_gpasswd_success (const c
5ab9c0
 			         "administrators of group %s set by %s to %s%s",
5ab9c0
 			         group, myname, admins, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			snprintf (buf, 1023,
5ab9c0
-			          "administrators of group %s set by %s to %s%s",
5ab9c0
-			          group, myname, admins, suffix);
5ab9c0
-			buf[1023] = '\0';
5ab9c0
-			audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-			              buf,
5ab9c0
-			              group, AUDIT_NO_ID,
5ab9c0
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+			              "set-admins-of-group",
5ab9c0
+			              admins, AUDIT_NO_ID, group,
5ab9c0
 			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 		}
5ab9c0
@@ -612,13 +558,9 @@ static void log_gpasswd_success (const c
5ab9c0
 			         "members of group %s set by %s to %s%s",
5ab9c0
 			         group, myname, members, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			snprintf (buf, 1023,
5ab9c0
-			          "members of group %s set by %s to %s%s",
5ab9c0
-			          group, myname, members, suffix);
5ab9c0
-			buf[1023] = '\0';
5ab9c0
-			audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-			              buf,
5ab9c0
-			              group, AUDIT_NO_ID,
5ab9c0
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "add-users-to-group",
5ab9c0
+			              members, AUDIT_NO_ID, group,
5ab9c0
 			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 		}
5ab9c0
@@ -627,13 +569,9 @@ static void log_gpasswd_success (const c
5ab9c0
 		         "password of group %s changed by %s%s",
5ab9c0
 		         group, myname, suffix));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		snprintf (buf, 1023,
5ab9c0
-		          "password of group %s changed by %s%s",
5ab9c0
-		          group, myname, suffix);
5ab9c0
-		buf[1023] = '\0';
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              buf,
5ab9c0
-		              group, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_GRP_CHAUTHTOK, Prog,
5ab9c0
+		              "change-password",
5ab9c0
+		              myname, AUDIT_NO_ID, group,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
diff -up shadow-4.6/src/groupadd.c.audit-update shadow-4.6/src/groupadd.c
5ab9c0
--- shadow-4.6/src/groupadd.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/groupadd.c	2018-05-28 15:02:53.137910337 +0200
5ab9c0
@@ -130,6 +130,15 @@ static /*@noreturn@*/void usage (int sta
5ab9c0
 	exit (status);
5ab9c0
 }
5ab9c0
 
5ab9c0
+static void fail_exit(int status)
5ab9c0
+{
5ab9c0
+#ifdef WITH_AUDIT
5ab9c0
+	audit_logger(AUDIT_ADD_GROUP, Prog, "add-group", group_name,
5ab9c0
+			AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
5ab9c0
+#endif
5ab9c0
+	exit (status);
5ab9c0
+}
5ab9c0
+
5ab9c0
 /*
5ab9c0
  * new_grent - initialize the values in a group file entry
5ab9c0
  *
5ab9c0
@@ -213,7 +222,7 @@ static void grp_update (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
5ab9c0
 		         Prog, gr_dbname (), grp.gr_name);
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
 	/*
5ab9c0
@@ -223,7 +232,7 @@ static void grp_update (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
5ab9c0
 		         Prog, sgr_dbname (), sgrp.sg_name);
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
 }
5ab9c0
@@ -247,7 +256,7 @@ static void check_new_name (void)
5ab9c0
 	fprintf (stderr, _("%s: '%s' is not a valid group name\n"),
5ab9c0
 	         Prog, group_name);
5ab9c0
 
5ab9c0
-	exit (E_BAD_ARG);
5ab9c0
+	fail_exit (E_BAD_ARG);
5ab9c0
 }
5ab9c0
 
5ab9c0
 /*
5ab9c0
@@ -263,11 +272,11 @@ static void close_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: failure while writing changes to %s\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "adding group to /etc/group",
5ab9c0
+	              "add-group",
5ab9c0
 	              group_name, (unsigned int) group_id,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -285,11 +294,11 @@ static void close_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: failure while writing changes to %s\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-		              "adding group to /etc/gshadow",
5ab9c0
+		audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
+		              "add-shadow-group",
5ab9c0
 		              group_name, (unsigned int) group_id,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -303,12 +312,6 @@ static void close_files (void)
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
 
5ab9c0
 	/* Report success at the system level */
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "",
5ab9c0
-	              group_name, (unsigned int) group_id,
5ab9c0
-	              SHADOW_AUDIT_SUCCESS);
5ab9c0
-#endif
5ab9c0
 	SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u",
5ab9c0
 	         group_name, (unsigned int) group_id));
5ab9c0
 	del_cleanup (cleanup_report_add_group);
5ab9c0
@@ -326,7 +329,7 @@ static void open_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 	add_cleanup (cleanup_unlock_group, NULL);
5ab9c0
 
5ab9c0
@@ -336,7 +339,7 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 		add_cleanup (cleanup_unlock_gshadow, NULL);
5ab9c0
 	}
5ab9c0
@@ -352,7 +355,7 @@ static void open_files (void)
5ab9c0
 	if (gr_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
5ab9c0
 		SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
@@ -362,7 +365,7 @@ static void open_files (void)
5ab9c0
 			         _("%s: cannot open %s\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
 			SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
@@ -495,7 +498,7 @@ static void check_flags (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: group '%s' already exists\n"),
5ab9c0
 		         Prog, group_name);
5ab9c0
-		exit (E_NAME_IN_USE);
5ab9c0
+		fail_exit (E_NAME_IN_USE);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 	if (gflg && (prefix_getgrgid (group_id) != NULL)) {
5ab9c0
@@ -514,7 +517,7 @@ static void check_flags (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: GID '%lu' already exists\n"),
5ab9c0
 			         Prog, (unsigned long int) group_id);
5ab9c0
-			exit (E_GID_IN_USE);
5ab9c0
+			fail_exit (E_GID_IN_USE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 }
5ab9c0
@@ -542,7 +545,7 @@ static void check_perms (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: Cannot determine your user name.\n"),
5ab9c0
 		         Prog);
5ab9c0
-		exit (1);
5ab9c0
+		fail_exit (1);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 	retval = pam_start ("groupadd", pampw->pw_name, &conv, &pamh);
5ab9c0
@@ -562,7 +565,7 @@ static void check_perms (void)
5ab9c0
 		if (NULL != pamh) {
5ab9c0
 			(void) pam_end (pamh, retval);
5ab9c0
 		}
5ab9c0
-		exit (1);
5ab9c0
+		fail_exit (1);
5ab9c0
 	}
5ab9c0
 	(void) pam_end (pamh, retval);
5ab9c0
 #endif				/* USE_PAM */
5ab9c0
@@ -595,7 +598,7 @@ int main (int argc, char **argv)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: Cannot setup cleanup service.\n"),
5ab9c0
 		         Prog);
5ab9c0
-		exit (1);
5ab9c0
+		fail_exit (1);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 	/*
5ab9c0
@@ -617,7 +620,7 @@ int main (int argc, char **argv)
5ab9c0
 
5ab9c0
 	if (!gflg) {
5ab9c0
 		if (find_new_gid (rflg, &group_id, NULL) < 0) {
5ab9c0
-			exit (E_GID_IN_USE);
5ab9c0
+			fail_exit (E_GID_IN_USE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 
5ab9c0
diff -up shadow-4.6/src/groupdel.c.audit-update shadow-4.6/src/groupdel.c
5ab9c0
--- shadow-4.6/src/groupdel.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/groupdel.c	2018-05-28 15:01:09.914717585 +0200
5ab9c0
@@ -105,6 +105,15 @@ static /*@noreturn@*/void usage (int sta
5ab9c0
 	exit (status);
5ab9c0
 }
5ab9c0
 
5ab9c0
+static void fail_exit(int status)
5ab9c0
+{
5ab9c0
+#ifdef WITH_AUDIT
5ab9c0
+	audit_logger(AUDIT_GRP_MGMT, Prog, "delete-group", group_name,
5ab9c0
+                        AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
5ab9c0
+#endif
5ab9c0
+	exit (status);
5ab9c0
+}
5ab9c0
+
5ab9c0
 /*
5ab9c0
  * grp_update - update group file entries
5ab9c0
  *
5ab9c0
@@ -131,7 +140,7 @@ static void grp_update (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot remove entry '%s' from %s\n"),
5ab9c0
 		         Prog, group_name, gr_dbname ());
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
@@ -143,7 +152,7 @@ static void grp_update (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot remove entry '%s' from %s\n"),
5ab9c0
 			         Prog, group_name, sgr_dbname ());
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
@@ -162,12 +171,12 @@ static void close_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: failure while writing changes to %s\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
-	              "removing group from /etc/group",
5ab9c0
+	              "delete-group",
5ab9c0
 	              group_name, (unsigned int) group_id,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -187,12 +196,12 @@ static void close_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: failure while writing changes to %s\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
-		              "removing group from /etc/gshadow",
5ab9c0
+		audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
+		              "delete-shadow-group",
5ab9c0
 		              group_name, (unsigned int) group_id,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -206,13 +215,6 @@ static void close_files (void)
5ab9c0
 	}
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
 
5ab9c0
-	/* Report success at the system level */
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
-	              "",
5ab9c0
-	              group_name, (unsigned int) group_id,
5ab9c0
-	              SHADOW_AUDIT_SUCCESS);
5ab9c0
-#endif
5ab9c0
 	SYSLOG ((LOG_INFO, "group '%s' removed\n", group_name));
5ab9c0
 	del_cleanup (cleanup_report_del_group);
5ab9c0
 }
5ab9c0
@@ -229,7 +231,7 @@ static void open_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 	add_cleanup (cleanup_unlock_group, NULL);
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
@@ -238,7 +240,7 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 		add_cleanup (cleanup_unlock_gshadow, NULL);
5ab9c0
 	}
5ab9c0
@@ -256,7 +258,7 @@ static void open_files (void)
5ab9c0
 		         _("%s: cannot open %s\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
 		SYSLOG ((LOG_WARN, "cannot open %s", gr_dbname ()));
5ab9c0
-		exit (E_GRP_UPDATE);
5ab9c0
+		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
 	if (is_shadow_grp) {
5ab9c0
@@ -265,7 +267,7 @@ static void open_files (void)
5ab9c0
 			         _("%s: cannot open %s\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
 			SYSLOG ((LOG_WARN, "cannot open %s", sgr_dbname ()));
5ab9c0
-			exit (E_GRP_UPDATE);
5ab9c0
+			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 #endif				/* SHADOWGRP */
5ab9c0
@@ -306,7 +308,7 @@ static void group_busy (gid_t gid)
5ab9c0
 	fprintf (stderr,
5ab9c0
 	         _("%s: cannot remove the primary group of user '%s'\n"),
5ab9c0
 	         Prog, pwd->pw_name);
5ab9c0
-	exit (E_GROUP_BUSY);
5ab9c0
+	fail_exit (E_GROUP_BUSY);
5ab9c0
 }
5ab9c0
 
5ab9c0
 /*
5ab9c0
@@ -391,7 +393,7 @@ int main (int argc, char **argv)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: Cannot setup cleanup service.\n"),
5ab9c0
 		         Prog);
5ab9c0
-		exit (1);
5ab9c0
+		fail_exit (1);
5ab9c0
 	}
5ab9c0
 
5ab9c0
 	process_flags (argc, argv);
5ab9c0
@@ -405,7 +407,7 @@ int main (int argc, char **argv)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: Cannot determine your user name.\n"),
5ab9c0
 			         Prog);
5ab9c0
-			exit (1);
5ab9c0
+			fail_exit (1);
5ab9c0
 		}
5ab9c0
 
5ab9c0
 		retval = pam_start ("groupdel", pampw->pw_name, &conv, &pamh);
5ab9c0
@@ -426,7 +428,7 @@ int main (int argc, char **argv)
5ab9c0
 		if (NULL != pamh) {
5ab9c0
 			(void) pam_end (pamh, retval);
5ab9c0
 		}
5ab9c0
-		exit (1);
5ab9c0
+		fail_exit (1);
5ab9c0
 	}
5ab9c0
 	(void) pam_end (pamh, retval);
5ab9c0
 #endif				/* USE_PAM */
5ab9c0
@@ -446,7 +448,7 @@ int main (int argc, char **argv)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: group '%s' does not exist\n"),
5ab9c0
 			         Prog, group_name);
5ab9c0
-			exit (E_NOTFOUND);
5ab9c0
+			fail_exit (E_NOTFOUND);
5ab9c0
 		}
5ab9c0
 
5ab9c0
 		group_id = grp->gr_gid;
5ab9c0
@@ -470,7 +472,7 @@ int main (int argc, char **argv)
5ab9c0
 			         _("%s: %s is the NIS master\n"),
5ab9c0
 			         Prog, nis_master);
5ab9c0
 		}
5ab9c0
-		exit (E_NOTFOUND);
5ab9c0
+		fail_exit (E_NOTFOUND);
5ab9c0
 	}
5ab9c0
 #endif
5ab9c0
 
5ab9c0
diff -up shadow-4.6/src/groupmod.c.audit-update shadow-4.6/src/groupmod.c
5ab9c0
--- shadow-4.6/src/groupmod.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/groupmod.c	2018-05-28 15:01:09.915717607 +0200
5ab9c0
@@ -449,7 +449,7 @@ static void close_files (void)
5ab9c0
 		exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
 	              info_group.audit_msg,
5ab9c0
 	              group_name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
@@ -472,7 +472,14 @@ static void close_files (void)
5ab9c0
 			exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+		/* If both happened, log password change as its more important */
5ab9c0
+		if (pflg)
5ab9c0
+			audit_logger (AUDIT_GRP_CHAUTHTOK, Prog,
5ab9c0
+		              info_gshadow.audit_msg,
5ab9c0
+		              group_name, AUDIT_NO_ID,
5ab9c0
+		              SHADOW_AUDIT_SUCCESS);
5ab9c0
+		else
5ab9c0
+			audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
 		              info_gshadow.audit_msg,
5ab9c0
 		              group_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
@@ -495,7 +502,7 @@ static void close_files (void)
5ab9c0
 			exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
+		audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
 		              info_passwd.audit_msg,
5ab9c0
 		              group_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
@@ -510,8 +517,8 @@ static void close_files (void)
5ab9c0
 	}
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_ACCT, Prog,
5ab9c0
-	              "modifying group",
5ab9c0
+	audit_logger (AUDIT_GRP_MGMT, Prog,
5ab9c0
+	              "modify-group",
5ab9c0
 	              group_name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -523,6 +530,8 @@ static void close_files (void)
5ab9c0
  */
5ab9c0
 static void prepare_failure_reports (void)
5ab9c0
 {
5ab9c0
+	char *nv_pair, nv[64];
5ab9c0
+
5ab9c0
 	info_group.name   = group_name;
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
 	info_gshadow.name = group_name;
5ab9c0
@@ -535,76 +544,109 @@ static void prepare_failure_reports (voi
5ab9c0
 #endif
5ab9c0
 	info_passwd.audit_msg  = xmalloc (512);
5ab9c0
 
5ab9c0
-	(void) snprintf (info_group.audit_msg, 511,
5ab9c0
-	                 "changing %s; ", gr_dbname ());
5ab9c0
+	info_group.action   = xmalloc (512);
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
-	(void) snprintf (info_gshadow.audit_msg, 511,
5ab9c0
-	                 "changing %s; ", sgr_dbname ());
5ab9c0
+	info_gshadow.action = xmalloc (512);
5ab9c0
 #endif
5ab9c0
-	(void) snprintf (info_passwd.audit_msg, 511,
5ab9c0
-	                 "changing %s; ", pw_dbname ());
5ab9c0
+	info_passwd.action  = xmalloc (512);
5ab9c0
 
5ab9c0
-	info_group.action   =   info_group.audit_msg
5ab9c0
-	                      + strlen (info_group.audit_msg);
5ab9c0
+	(void) snprintf (info_group.audit_msg, 511,
5ab9c0
+	                 "changing-group");
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
-	info_gshadow.action =   info_gshadow.audit_msg
5ab9c0
-	                      + strlen (info_gshadow.audit_msg);
5ab9c0
+	(void) snprintf (info_gshadow.audit_msg, 511,
5ab9c0
+	                 "changing-shadow-group");
5ab9c0
 #endif
5ab9c0
-	info_passwd.action  =   info_passwd.audit_msg
5ab9c0
-	                      + strlen (info_passwd.audit_msg);
5ab9c0
+	(void) snprintf (info_passwd.audit_msg, 511,
5ab9c0
+	                 "changing-group-passwd");
5ab9c0
 
5ab9c0
+	nv_pair = audit_encode_nv_string(" grp", group_name,
5ab9c0
+			strlen(group_name));
5ab9c0
+	if(nv_pair) {
5ab9c0
+		strncat(info_group.audit_msg, nv_pair,
5ab9c0
+			511 - strlen(info_group.audit_msg));
5ab9c0
+#ifdef	SHADOWGRP
5ab9c0
+		strncat(info_gshadow.audit_msg, nv_pair,
5ab9c0
+			511 - strlen(info_gshadow.audit_msg));
5ab9c0
+#endif
5ab9c0
+		strncat(info_passwd.audit_msg, nv_pair,
5ab9c0
+			511 - strlen(info_passwd.audit_msg));
5ab9c0
+		free(nv_pair);
5ab9c0
+	}
5ab9c0
+	snprintf(nv, sizeof(nv), " gid=%lu", (unsigned long)group_id);
5ab9c0
+	strncat(info_group.audit_msg, nv, 511 - strlen(info_group.audit_msg));
5ab9c0
+	strncat(info_passwd.audit_msg, nv, 511 - strlen(info_passwd.audit_msg));
5ab9c0
+	
5ab9c0
 	(void) snprintf (info_group.action,
5ab9c0
-	                 511 - strlen (info_group.audit_msg),
5ab9c0
+	                 511,
5ab9c0
 	                 "group %s/%lu",
5ab9c0
 	                 group_name, (unsigned long int) group_id);
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
 	(void) snprintf (info_gshadow.action,
5ab9c0
-	                 511 - strlen (info_group.audit_msg),
5ab9c0
+	                 511,
5ab9c0
 	                 "group %s", group_name);
5ab9c0
 #endif
5ab9c0
 	(void) snprintf (info_passwd.action,
5ab9c0
-	                 511 - strlen (info_group.audit_msg),
5ab9c0
+	                 511,
5ab9c0
 	                 "group %s/%lu",
5ab9c0
 	                 group_name, (unsigned long int) group_id);
5ab9c0
 
5ab9c0
 	if (nflg) {
5ab9c0
+		nv_pair = audit_encode_nv_string(" new_group", group_newname,
5ab9c0
+				strlen(group_newname));
5ab9c0
+		strncat(info_group.audit_msg, nv_pair,
5ab9c0
+				511 - strlen(info_group.audit_msg));
5ab9c0
 		strncat (info_group.action, ", new name: ",
5ab9c0
-		         511 - strlen (info_group.audit_msg));
5ab9c0
+		         511 - strlen (info_group.action));
5ab9c0
 		strncat (info_group.action, group_newname,
5ab9c0
-		         511 - strlen (info_group.audit_msg));
5ab9c0
+		         511 - strlen (info_group.action));
5ab9c0
 
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
+		strncat(info_gshadow.audit_msg, nv_pair,
5ab9c0
+				511 - strlen(info_gshadow.audit_msg));
5ab9c0
 		strncat (info_gshadow.action, ", new name: ",
5ab9c0
-		         511 - strlen (info_gshadow.audit_msg));
5ab9c0
+		         511 - strlen (info_gshadow.action));
5ab9c0
 		strncat (info_gshadow.action, group_newname,
5ab9c0
-		         511 - strlen (info_gshadow.audit_msg));
5ab9c0
+		         511 - strlen (info_gshadow.action));
5ab9c0
 #endif
5ab9c0
 
5ab9c0
+		strncat(info_passwd.audit_msg, nv_pair,
5ab9c0
+				511 - strlen(info_passwd.audit_msg));
5ab9c0
 		strncat (info_passwd.action, ", new name: ",
5ab9c0
-		         511 - strlen (info_passwd.audit_msg));
5ab9c0
+		         511 - strlen (info_passwd.action));
5ab9c0
 		strncat (info_passwd.action, group_newname,
5ab9c0
-		         511 - strlen (info_passwd.audit_msg));
5ab9c0
+		         511 - strlen (info_passwd.action));
5ab9c0
+		free(nv_pair);
5ab9c0
 	}
5ab9c0
 	if (pflg) {
5ab9c0
+		strncat(info_passwd.audit_msg, "op=change-password",
5ab9c0
+			511 - strlen (info_passwd.action));
5ab9c0
+
5ab9c0
+		/* Note: audit doesn't want this value recorded */
5ab9c0
 		strncat (info_group.action, ", new password",
5ab9c0
-		         511 - strlen (info_group.audit_msg));
5ab9c0
+		         511 - strlen (info_group.action));
5ab9c0
 
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
 		strncat (info_gshadow.action, ", new password",
5ab9c0
-		         511 - strlen (info_gshadow.audit_msg));
5ab9c0
+		         511 - strlen (info_gshadow.action));
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
 	if (gflg) {
5ab9c0
+		snprintf(nv, sizeof(nv), " new_gid=%lu", (unsigned long)group_newid);
5ab9c0
+		strncat(info_group.audit_msg, nv,
5ab9c0
+				511 - strlen(info_group.audit_msg));
5ab9c0
+		strncat(info_passwd.audit_msg, nv,
5ab9c0
+				511 - strlen(info_passwd.audit_msg));
5ab9c0
+
5ab9c0
 		strncat (info_group.action, ", new gid: ",
5ab9c0
-		         511 - strlen (info_group.audit_msg));
5ab9c0
+		         511 - strlen (info_group.action));
5ab9c0
 		(void) snprintf (info_group.action+strlen (info_group.action),
5ab9c0
-		                 511 - strlen (info_group.audit_msg),
5ab9c0
+		                 511 - strlen (info_group.action),
5ab9c0
 		                 "%lu", (unsigned long int) group_newid);
5ab9c0
 
5ab9c0
 		strncat (info_passwd.action, ", new gid: ",
5ab9c0
-		         511 - strlen (info_passwd.audit_msg));
5ab9c0
+		         511 - strlen (info_passwd.action));
5ab9c0
 		(void) snprintf (info_passwd.action+strlen (info_passwd.action),
5ab9c0
-		                 511 - strlen (info_passwd.audit_msg),
5ab9c0
+		                 511 - strlen (info_passwd.action),
5ab9c0
 		                 "%lu", (unsigned long int) group_newid);
5ab9c0
 	}
5ab9c0
 	info_group.audit_msg[511]   = '\0';
5ab9c0
@@ -612,6 +654,11 @@ static void prepare_failure_reports (voi
5ab9c0
 	info_gshadow.audit_msg[511] = '\0';
5ab9c0
 #endif
5ab9c0
 	info_passwd.audit_msg[511]  = '\0';
5ab9c0
+	info_group.action[511]   = '\0';
5ab9c0
+#ifdef	SHADOWGRP
5ab9c0
+	info_gshadow.action[511] = '\0';
5ab9c0
+#endif
5ab9c0
+	info_passwd.action[511]  = '\0';
5ab9c0
 
5ab9c0
 // FIXME: add a system cleanup
5ab9c0
 	add_cleanup (cleanup_report_mod_group, &info_group);
5ab9c0
diff -up shadow-4.6/src/chage.c.audit-update shadow-4.6/src/chage.c
5ab9c0
--- shadow-4.6/src/chage.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/chage.c	2018-05-28 15:01:09.915717607 +0200
5ab9c0
@@ -126,9 +126,10 @@ static /*@noreturn@*/void fail_exit (int
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	if (E_SUCCESS != code) {
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "change age",
5ab9c0
-		              user_name, (unsigned int) user_uid, 0);
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "change-age",
5ab9c0
+		              user_name, (unsigned int) user_uid,
5ab9c0
+		              SHADOW_AUDIT_FAILURE);
5ab9c0
 	}
5ab9c0
 #endif
5ab9c0
 
5ab9c0
@@ -873,11 +874,7 @@ int main (int argc, char **argv)
5ab9c0
 			fprintf (stderr, _("%s: Permission denied.\n"), Prog);
5ab9c0
 			fail_exit (E_NOPERM);
5ab9c0
 		}
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "display aging info",
5ab9c0
-		              user_name, (unsigned int) user_uid, 1);
5ab9c0
-#endif
5ab9c0
+		/* Displaying fields is not of interest to audit */
5ab9c0
 		list_fields ();
5ab9c0
 		fail_exit (E_SUCCESS);
5ab9c0
 	}
5ab9c0
@@ -896,41 +893,43 @@ int main (int argc, char **argv)
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		else {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change all aging information",
5ab9c0
-			              user_name, (unsigned int) user_uid, 1);
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-all-aging-information",
5ab9c0
+			              user_name, (unsigned int) user_uid,
5ab9c0
+			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
 	} else {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		if (Mflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change max age",
5ab9c0
-			              user_name, (unsigned int) user_uid, 1);
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-max-age",
5ab9c0
+			              user_name, (unsigned int) user_uid,
5ab9c0
+			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 		}
5ab9c0
 		if (mflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change min age",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-min-age",
5ab9c0
 			              user_name, (unsigned int) user_uid, 1);
5ab9c0
 		}
5ab9c0
 		if (dflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change last change date",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-last-change-date",
5ab9c0
 			              user_name, (unsigned int) user_uid, 1);
5ab9c0
 		}
5ab9c0
 		if (Wflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change passwd warning",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-passwd-warning",
5ab9c0
 			              user_name, (unsigned int) user_uid, 1);
5ab9c0
 		}
5ab9c0
 		if (Iflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change inactive days",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-inactive-days",
5ab9c0
 			              user_name, (unsigned int) user_uid, 1);
5ab9c0
 		}
5ab9c0
 		if (Eflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "change passwd expiration",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "change-passwd-expiration",
5ab9c0
 			              user_name, (unsigned int) user_uid, 1);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
diff -up shadow-4.6/src/newgrp.c.audit-update shadow-4.6/src/newgrp.c
5ab9c0
--- shadow-4.6/src/newgrp.c.audit-update	2018-04-29 18:42:37.000000000 +0200
5ab9c0
+++ shadow-4.6/src/newgrp.c	2018-05-28 15:01:09.915717607 +0200
5ab9c0
@@ -206,11 +206,12 @@ static void check_perms (const struct gr
5ab9c0
 		    strcmp (cpasswd, grp->gr_passwd) != 0) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-			          "authentication new-gid=%lu",
5ab9c0
+			          "authentication new_gid=%lu",
5ab9c0
 			          (unsigned long) grp->gr_gid);
5ab9c0
 			audit_logger (AUDIT_GRP_AUTH, Prog,
5ab9c0
 			              audit_buf, NULL,
5ab9c0
-			              (unsigned int) getuid (), 0);
5ab9c0
+			              (unsigned int) getuid (),
5ab9c0
+			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 			SYSLOG ((LOG_INFO,
5ab9c0
 				 "Invalid password for group '%s' from '%s'",
5ab9c0
@@ -221,11 +222,12 @@ static void check_perms (const struct gr
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "authentication new-gid=%lu",
5ab9c0
+		          "authentication new_gid=%lu",
5ab9c0
 		          (unsigned long) grp->gr_gid);
5ab9c0
 		audit_logger (AUDIT_GRP_AUTH, Prog,
5ab9c0
 		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 1);
5ab9c0
+		              (unsigned int) getuid (),
5ab9c0
+		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	}
5ab9c0
 
5ab9c0
@@ -236,19 +238,6 @@ failure:
5ab9c0
 	 * harm.  -- JWP
5ab9c0
 	 */
5ab9c0
 	closelog ();
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-	if (groupname) {
5ab9c0
-		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "changing new-group=%s", groupname);
5ab9c0
-		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
-		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
-	} else {
5ab9c0
-		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
-		              "changing", NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
-	}
5ab9c0
-#endif
5ab9c0
 	exit (EXIT_FAILURE);
5ab9c0
 }
5ab9c0
 
5ab9c0
@@ -320,15 +309,27 @@ static void syslog_sg (const char *name,
5ab9c0
 				 is_newgrp ? "newgrp" : "sg", strerror (errno));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			if (group) {
5ab9c0
-				snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-				          "changing new-group=%s", group);
5ab9c0
+				char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
5ab9c0
+				int len = strnlen(group, sizeof(enc_group)/2);
5ab9c0
+				if (audit_value_needs_encoding(group, len)) {
5ab9c0
+					snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+					          "changing new_group=%s",
5ab9c0
+					          audit_encode_value(enc_group,
5ab9c0
+					          group, len));
5ab9c0
+				} else {
5ab9c0
+					snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+					          "changing new_group=\"%s\"",
5ab9c0
+					          group);
5ab9c0
+				}
5ab9c0
 				audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 				              audit_buf, NULL,
5ab9c0
-				              (unsigned int) getuid (), 0);
5ab9c0
+				              (unsigned int) getuid (),
5ab9c0
+				              SHADOW_AUDIT_FAILURE);
5ab9c0
 			} else {
5ab9c0
 				audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 				              "changing", NULL,
5ab9c0
-				              (unsigned int) getuid (), 0);
5ab9c0
+				              (unsigned int) getuid (),
5ab9c0
+				              SHADOW_AUDIT_FAILURE);
5ab9c0
 			}
5ab9c0
 #endif
5ab9c0
 			exit (EXIT_FAILURE);
5ab9c0
@@ -457,7 +458,7 @@ int main (int argc, char **argv)
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 		              "changing", NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)",
5ab9c0
 		         (unsigned long) getuid ()));
5ab9c0
@@ -573,15 +574,26 @@ int main (int argc, char **argv)
5ab9c0
 		perror ("getgroups");
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		if (group) {
5ab9c0
-			snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-			          "changing new-group=%s", group);
5ab9c0
+			char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
5ab9c0
+			int len = strnlen(group, sizeof(enc_group)/2);
5ab9c0
+			if (audit_value_needs_encoding(group, len)) {
5ab9c0
+				snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+				          "changing new_group=%s",
5ab9c0
+				          audit_encode_value(enc_group,
5ab9c0
+				          group, len));
5ab9c0
+			} else {
5ab9c0
+				snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+				          "changing new_group=\"%s\"", group);
5ab9c0
+			}
5ab9c0
 			audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 			              audit_buf, NULL,
5ab9c0
-			              (unsigned int) getuid (), 0);
5ab9c0
+			              (unsigned int) getuid (),
5ab9c0
+			              SHADOW_AUDIT_FAILURE);
5ab9c0
 		} else {
5ab9c0
 			audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 			              "changing", NULL,
5ab9c0
-			              (unsigned int) getuid (), 0);
5ab9c0
+			              (unsigned int) getuid (),
5ab9c0
+			              SHADOW_AUDIT_FAILURE);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
 		exit (EXIT_FAILURE);
5ab9c0
@@ -738,10 +750,10 @@ int main (int argc, char **argv)
5ab9c0
 		perror ("setgid");
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "changing new-gid=%lu", (unsigned long) gid);
5ab9c0
+		          "changing new_gid=%lu", (unsigned long) gid);
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		exit (EXIT_FAILURE);
5ab9c0
 	}
5ab9c0
@@ -750,10 +762,10 @@ int main (int argc, char **argv)
5ab9c0
 		perror ("setuid");
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "changing new-gid=%lu", (unsigned long) gid);
5ab9c0
+		          "changing new_gid=%lu", (unsigned long) gid);
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		exit (EXIT_FAILURE);
5ab9c0
 	}
5ab9c0
@@ -767,10 +779,10 @@ int main (int argc, char **argv)
5ab9c0
 		execl (SHELL, "sh", "-c", command, (char *) 0);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "changing new-gid=%lu", (unsigned long) gid);
5ab9c0
+		          "changing new_gid=%lu", (unsigned long) gid);
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 		perror (SHELL);
5ab9c0
 		exit ((errno == ENOENT) ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
5ab9c0
@@ -834,11 +846,11 @@ int main (int argc, char **argv)
5ab9c0
 	}
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	snprintf (audit_buf, sizeof(audit_buf), "changing new-gid=%lu",
5ab9c0
+	snprintf (audit_buf, sizeof(audit_buf), "changing new_gid=%lu",
5ab9c0
 	          (unsigned long) gid);
5ab9c0
 	audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 	              audit_buf, NULL,
5ab9c0
-	              (unsigned int) getuid (), 1);
5ab9c0
+	              (unsigned int) getuid (), SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	/*
5ab9c0
 	 * Exec the login shell and go away. We are trying to get back to
5ab9c0
@@ -862,15 +874,24 @@ int main (int argc, char **argv)
5ab9c0
 	closelog ();
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	if (NULL != group) {
5ab9c0
-		snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
-		          "changing new-group=%s", group);
5ab9c0
+		char enc_group[(GROUP_NAME_MAX_LENGTH*2)+1];
5ab9c0
+		int len = strnlen(group, sizeof(enc_group)/2);
5ab9c0
+		if (audit_value_needs_encoding(group, len)) {
5ab9c0
+			snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+			          "changing new_group=%s",
5ab9c0
+			          audit_encode_value(enc_group,
5ab9c0
+			          group, len));
5ab9c0
+		} else {
5ab9c0
+			snprintf (audit_buf, sizeof(audit_buf),
5ab9c0
+			          "changing new_group=\"%s\"", group);
5ab9c0
+		}
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog, 
5ab9c0
 		              audit_buf, NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 	} else {
5ab9c0
 		audit_logger (AUDIT_CHGRP_ID, Prog,
5ab9c0
 		              "changing", NULL,
5ab9c0
-		              (unsigned int) getuid (), 0);
5ab9c0
+		              (unsigned int) getuid (), SHADOW_AUDIT_FAILURE);
5ab9c0
 	}
5ab9c0
 #endif
5ab9c0
 	exit (EXIT_FAILURE);
5ab9c0
diff -up shadow-4.6/src/useradd.c.audit-update shadow-4.6/src/useradd.c
5ab9c0
--- shadow-4.6/src/useradd.c.audit-update	2018-05-28 15:01:09.903717352 +0200
5ab9c0
+++ shadow-4.6/src/useradd.c	2018-05-28 15:06:36.824662074 +0200
5ab9c0
@@ -229,6 +229,8 @@ static void create_mail (void);
5ab9c0
  */
5ab9c0
 static void fail_exit (int code)
5ab9c0
 {
5ab9c0
+	int type;
5ab9c0
+
5ab9c0
 	if (home_added) {
5ab9c0
 		if (rmdir (prefix_user_home) != 0) {
5ab9c0
 			fprintf (stderr,
5ab9c0
@@ -242,12 +244,6 @@ static void fail_exit (int code)
5ab9c0
 		if (spw_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking shadow file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -255,12 +251,6 @@ static void fail_exit (int code)
5ab9c0
 		if (pw_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking passwd file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -268,12 +258,6 @@ static void fail_exit (int code)
5ab9c0
 		if (gr_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking group file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -282,12 +266,6 @@ static void fail_exit (int code)
5ab9c0
 		if (sgr_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking gshadow file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -297,12 +275,6 @@ static void fail_exit (int code)
5ab9c0
 		if (sub_uid_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_uid_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking subordinate user file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -310,20 +282,19 @@ static void fail_exit (int code)
5ab9c0
 		if (sub_gid_unlock () == 0) {
5ab9c0
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sub_gid_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking subordinate group file",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			/* continue */
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
 #endif				/* ENABLE_SUBIDS */
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-	              "adding user",
5ab9c0
+	if (code == E_PW_UPDATE || code >= E_GRP_UPDATE)
5ab9c0
+		type = AUDIT_USER_MGMT;
5ab9c0
+	else
5ab9c0
+		type = AUDIT_ADD_USER;
5ab9c0
+
5ab9c0
+	audit_logger (type, Prog,
5ab9c0
+	              "add-user",
5ab9c0
 	              user_name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -673,7 +644,7 @@ static int set_defaults (void)
5ab9c0
 	}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_USYS_CONFIG, Prog,
5ab9c0
-	              "changing useradd defaults",
5ab9c0
+	              "changing-useradd-defaults",
5ab9c0
 	              NULL, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -950,12 +921,6 @@ static void grp_update (void)
5ab9c0
 			         _("%s: Out of memory. Cannot update %s.\n"),
5ab9c0
 			         Prog, gr_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding user to group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			fail_exit (E_GRP_UPDATE);	/* XXX */
5ab9c0
 		}
5ab9c0
 
5ab9c0
@@ -969,18 +934,12 @@ static void grp_update (void)
5ab9c0
 			         _("%s: failed to prepare the new %s entry '%s'\n"),
5ab9c0
 			         Prog, gr_dbname (), ngrp->gr_name);
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", gr_dbname (), user_name));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding user to group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "adding user to group",
5ab9c0
-		              user_name, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "add-user-to-group",
5ab9c0
+		              user_name, AUDIT_NO_ID, ngrp->gr_name,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -1025,12 +984,6 @@ static void grp_update (void)
5ab9c0
 			         _("%s: Out of memory. Cannot update %s.\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding user to shadow group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			fail_exit (E_GRP_UPDATE);	/* XXX */
5ab9c0
 		}
5ab9c0
 
5ab9c0
@@ -1044,18 +997,13 @@ static void grp_update (void)
5ab9c0
 			         _("%s: failed to prepare the new %s entry '%s'\n"),
5ab9c0
 			         Prog, sgr_dbname (), nsgrp->sg_name);
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to prepare the new %s entry '%s'", sgr_dbname (), user_name));
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding user to shadow group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
+
5ab9c0
 			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "adding user to shadow group",
5ab9c0
-		              user_name, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "add-to-shadow-group",
5ab9c0
+		              user_name, AUDIT_NO_ID, nsgrp->sg_name,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -1407,7 +1355,7 @@ static void process_flags (int argc, cha
5ab9c0
 			         Prog, user_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding user",
5ab9c0
+			              "add-user",
5ab9c0
 			              user_name, AUDIT_NO_ID,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1522,7 +1470,7 @@ static void close_files (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking shadow file",
5ab9c0
+			              "unlocking-shadow-file",
5ab9c0
 			              user_name, AUDIT_NO_ID,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1535,7 +1483,7 @@ static void close_files (void)
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "unlocking passwd file",
5ab9c0
+		              "unlocking-passwd-file",
5ab9c0
 		              user_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1547,7 +1495,7 @@ static void close_files (void)
5ab9c0
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "unlocking group file",
5ab9c0
+		              "unlocking-group-file",
5ab9c0
 		              user_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1561,7 +1509,7 @@ static void close_files (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "unlocking gshadow file",
5ab9c0
+			              "unlocking-gshadow-file",
5ab9c0
 			              user_name, AUDIT_NO_ID,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1577,7 +1525,7 @@ static void close_files (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_uid_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-				"unlocking subordinate user file",
5ab9c0
+				"unlocking-subordinate-user-file",
5ab9c0
 				user_name, AUDIT_NO_ID,
5ab9c0
 				SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1591,7 +1539,7 @@ static void close_files (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sub_gid_dbname ()));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-				"unlocking subordinate group file",
5ab9c0
+				"unlocking-subordinate-group-file",
5ab9c0
 				user_name, AUDIT_NO_ID,
5ab9c0
 				SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1783,7 +1731,7 @@ static void grp_add (void)
5ab9c0
 		         Prog, gr_dbname (), grp.gr_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-		              "adding group",
5ab9c0
+		              "add-group",
5ab9c0
 		              grp.gr_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1799,7 +1747,7 @@ static void grp_add (void)
5ab9c0
 		         Prog, sgr_dbname (), sgrp.sg_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-		              "adding group",
5ab9c0
+		              "add-group",
5ab9c0
 		              grp.gr_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
@@ -1809,7 +1757,7 @@ static void grp_add (void)
5ab9c0
 	SYSLOG ((LOG_INFO, "new group: name=%s, GID=%u", user_name, user_gid));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_ADD_GROUP, Prog,
5ab9c0
-	              "adding group",
5ab9c0
+	              "add-group",
5ab9c0
 	              grp.gr_name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -1970,12 +1918,6 @@ static void usr_update (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: failed to prepare the new %s entry '%s'\n"),
5ab9c0
 		         Prog, spw_dbname (), spent.sp_namp);
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "adding shadow password",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 		fail_exit (E_PW_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef ENABLE_SUBIDS
5ab9c0
@@ -1996,9 +1938,14 @@ static void usr_update (void)
5ab9c0
 #endif				/* ENABLE_SUBIDS */
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
+	/*
5ab9c0
+	 * Even though we have the ID of the user, we won't send it now
5ab9c0
+	 * because its not written to disk yet. After close_files it is
5ab9c0
+	 * and we can use the real ID thereafter.
5ab9c0
+	 */
5ab9c0
 	audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-	              "adding user",
5ab9c0
-	              user_name, (unsigned int) user_id,
5ab9c0
+	              "add-user",
5ab9c0
+	              user_name, AUDIT_NO_ID,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 	/*
5ab9c0
@@ -2032,12 +1979,6 @@ static void create_home (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot create directory %s\n"),
5ab9c0
 			         Prog, prefix_user_home);
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding home directory",
5ab9c0
-			              user_name, (unsigned int) user_id,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			fail_exit (E_HOMEDIR);
5ab9c0
 		}
5ab9c0
 		(void) chown (prefix_user_home, user_id, user_gid);
5ab9c0
@@ -2045,8 +1986,8 @@ static void create_home (void)
5ab9c0
 		       0777 & ~getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
5ab9c0
 		home_added = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "adding home directory",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "add-home-dir",
5ab9c0
 		              user_name, (unsigned int) user_id,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
@@ -2231,12 +2172,6 @@ int main (int argc, char **argv)
5ab9c0
 	 */
5ab9c0
 	if (prefix_getpwnam (user_name) != NULL) { /* local, no need for xgetpwnam */
5ab9c0
 		fprintf (stderr, _("%s: user '%s' already exists\n"), Prog, user_name);
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-		              "adding user",
5ab9c0
-		              user_name, AUDIT_NO_ID,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 		fail_exit (E_NAME_IN_USE);
5ab9c0
 	}
5ab9c0
 
5ab9c0
@@ -2252,12 +2187,6 @@ int main (int argc, char **argv)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: group %s exists - if you want to add this user to that group, use -g.\n"),
5ab9c0
 			         Prog, user_name);
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 			fail_exit (E_NAME_IN_USE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -2287,12 +2216,6 @@ int main (int argc, char **argv)
5ab9c0
 				fprintf (stderr,
5ab9c0
 				         _("%s: UID %lu is not unique\n"),
5ab9c0
 				         Prog, (unsigned long) user_id);
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-				audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-				              "adding user",
5ab9c0
-				              user_name, (unsigned int) user_id,
5ab9c0
-				              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif
5ab9c0
 				fail_exit (E_UID_IN_USE);
5ab9c0
 			}
5ab9c0
 		}
5ab9c0
@@ -2365,9 +2283,10 @@ int main (int argc, char **argv)
5ab9c0
 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
5ab9c0
 			         Prog, user_name, user_selinux);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "adding SELinux user mapping",
5ab9c0
-			              user_name, (unsigned int) user_id, 0);
5ab9c0
+			audit_logger (AUDIT_ROLE_ASSIGN, Prog,
5ab9c0
+			              "add-selinux-user-mapping",
5ab9c0
+			              user_name, (unsigned int) user_id,
5ab9c0
+			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
 			rv = E_SE_UPDATE;
5ab9c0
 		    }
5ab9c0
diff -up shadow-4.6/src/userdel.c.audit-update shadow-4.6/src/userdel.c
5ab9c0
--- shadow-4.6/src/userdel.c.audit-update	2018-05-28 15:01:09.909717479 +0200
5ab9c0
+++ shadow-4.6/src/userdel.c	2018-05-28 15:01:09.916717628 +0200
5ab9c0
@@ -219,9 +219,9 @@ static void update_groups (void)
5ab9c0
 		 * Update the DBM group file with the new entry as well.
5ab9c0
 		 */
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting user from group",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "deleting-user-from-group",
5ab9c0
+		              user_name, (unsigned int) user_id, ngrp->gr_name,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
 		SYSLOG ((LOG_INFO, "delete '%s' from group '%s'\n",
5ab9c0
@@ -281,9 +281,9 @@ static void update_groups (void)
5ab9c0
 			exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting user from shadow group",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
+		audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "deleting-user-from-shadow-group",
5ab9c0
+		              user_name, (unsigned int) user_id, nsgrp->sg_name,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
 		SYSLOG ((LOG_INFO, "delete '%s' from shadow group '%s'\n",
5ab9c0
@@ -360,9 +360,9 @@ static void remove_usergroup (void)
5ab9c0
 		}
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
-		              "deleting group",
5ab9c0
-		              user_name, AUDIT_NO_ID,
5ab9c0
+		audit_logger_with_group (AUDIT_DEL_GROUP, Prog,
5ab9c0
+		              "delete-group",
5ab9c0
+		              user_name, AUDIT_NO_ID, user_name,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -378,9 +378,9 @@ static void remove_usergroup (void)
5ab9c0
 				fail_exit (E_GRP_UPDATE);
5ab9c0
 			}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_GROUP, Prog,
5ab9c0
-			              "deleting shadow group",
5ab9c0
-			              user_name, AUDIT_NO_ID,
5ab9c0
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+			              "delete-shadow-group",
5ab9c0
+			              user_name, AUDIT_NO_ID, user_name,
5ab9c0
 			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
 			SYSLOG ((LOG_INFO,
5ab9c0
@@ -542,7 +542,7 @@ static void fail_exit (int code)
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-	              "deleting user",
5ab9c0
+	              "delete-user",
5ab9c0
 	              user_name, (unsigned int) user_id,
5ab9c0
 	              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -562,24 +562,12 @@ static void open_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 		         Prog, pw_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "locking password file",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 		fail_exit (E_PW_UPDATE);
5ab9c0
 	}
5ab9c0
 	pw_locked = true;
5ab9c0
 	if (pw_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot open %s\n"), Prog, pw_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "opening password file",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 		fail_exit (E_PW_UPDATE);
5ab9c0
 	}
5ab9c0
 	if (is_shadow_pwd) {
5ab9c0
@@ -587,12 +575,6 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 			         Prog, spw_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "locking shadow password file",
5ab9c0
-			              user_name, (unsigned int) user_id,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_PW_UPDATE);
5ab9c0
 		}
5ab9c0
 		spw_locked = true;
5ab9c0
@@ -600,12 +582,6 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot open %s\n"),
5ab9c0
 			         Prog, spw_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "opening shadow password file",
5ab9c0
-			              user_name, (unsigned int) user_id,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_PW_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -613,23 +589,11 @@ static void open_files (void)
5ab9c0
 		fprintf (stderr,
5ab9c0
 		         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 		         Prog, gr_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "locking group file",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 	gr_locked = true;
5ab9c0
 	if (gr_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 		fprintf (stderr, _("%s: cannot open %s\n"), Prog, gr_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "opening group file",
5ab9c0
-		              user_name, (unsigned int) user_id,
5ab9c0
-		              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 		fail_exit (E_GRP_UPDATE);
5ab9c0
 	}
5ab9c0
 #ifdef	SHADOWGRP
5ab9c0
@@ -638,24 +602,12 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 			         _("%s: cannot lock %s; try again later.\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "locking shadow group file",
5ab9c0
-			              user_name, (unsigned int) user_id,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 		sgr_locked= true;
5ab9c0
 		if (sgr_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 			fprintf (stderr, _("%s: cannot open %s\n"),
5ab9c0
 			         Prog, sgr_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "opening shadow group file",
5ab9c0
-			              user_name, (unsigned int) user_id,
5ab9c0
-			              SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_GRP_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -666,24 +618,12 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 				_("%s: cannot lock %s; try again later.\n"),
5ab9c0
 				Prog, sub_uid_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-				"locking subordinate user file",
5ab9c0
-				user_name, (unsigned int) user_id,
5ab9c0
-				SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_SUB_UID_UPDATE);
5ab9c0
 		}
5ab9c0
 		sub_uid_locked = true;
5ab9c0
 		if (sub_uid_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 			fprintf (stderr,
5ab9c0
 				_("%s: cannot open %s\n"), Prog, sub_uid_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-				"opening subordinate user file",
5ab9c0
-				user_name, (unsigned int) user_id,
5ab9c0
-				SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_SUB_UID_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -692,24 +632,12 @@ static void open_files (void)
5ab9c0
 			fprintf (stderr,
5ab9c0
 				_("%s: cannot lock %s; try again later.\n"),
5ab9c0
 				Prog, sub_gid_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-				"locking subordinate group file",
5ab9c0
-				user_name, (unsigned int) user_id,
5ab9c0
-				SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_SUB_GID_UPDATE);
5ab9c0
 		}
5ab9c0
 		sub_gid_locked = true;
5ab9c0
 		if (sub_gid_open (O_CREAT | O_RDWR) == 0) {
5ab9c0
 			fprintf (stderr,
5ab9c0
 				_("%s: cannot open %s\n"), Prog, sub_gid_dbname ());
5ab9c0
-#ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-				"opening subordinate group file",
5ab9c0
-				user_name, (unsigned int) user_id,
5ab9c0
-				SHADOW_AUDIT_FAILURE);
5ab9c0
-#endif				/* WITH_AUDIT */
5ab9c0
 			fail_exit (E_SUB_GID_UPDATE);
5ab9c0
 		}
5ab9c0
 	}
5ab9c0
@@ -754,7 +682,7 @@ static void update_user (void)
5ab9c0
 #endif				/* ENABLE_SUBIDS */
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-	              "deleting user entries",
5ab9c0
+	              "delete-user",
5ab9c0
 	              user_name, (unsigned int) user_id,
5ab9c0
 	              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -862,7 +790,7 @@ static int remove_mailbox (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting mail file",
5ab9c0
+			              "delete-mail-file",
5ab9c0
 			              user_name, (unsigned int) user_id,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -879,7 +807,7 @@ static int remove_mailbox (void)
5ab9c0
 			SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting mail file",
5ab9c0
+			              "delete-mail-file",
5ab9c0
 			              user_name, (unsigned int) user_id,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -889,8 +817,8 @@ static int remove_mailbox (void)
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		else
5ab9c0
 		{
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting mail file",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "delete-mail-file",
5ab9c0
 			              user_name, (unsigned int) user_id,
5ab9c0
 			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 		}
5ab9c0
@@ -908,7 +836,7 @@ static int remove_mailbox (void)
5ab9c0
 		         mailfile, strerror (errno)));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting mail file",
5ab9c0
+		              "delete-mail-file",
5ab9c0
 		              user_name, (unsigned int) user_id,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -925,7 +853,7 @@ static int remove_mailbox (void)
5ab9c0
 		SYSLOG ((LOG_ERR, "Cannot remove %s: %s", mailfile, strerror (errno)));
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting mail file",
5ab9c0
+		              "delete-mail-file",
5ab9c0
 		              user_name, (unsigned int) user_id,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -935,8 +863,8 @@ static int remove_mailbox (void)
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	else
5ab9c0
 	{
5ab9c0
-		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting mail file",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "delete-mail-file",
5ab9c0
 		              user_name, (unsigned int) user_id,
5ab9c0
 		              SHADOW_AUDIT_SUCCESS);
5ab9c0
 	}
5ab9c0
@@ -1149,7 +1077,7 @@ int main (int argc, char **argv)
5ab9c0
 				 Prog, user_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting user not found",
5ab9c0
+			              "deleting-user-not-found",
5ab9c0
 			              user_name, AUDIT_NO_ID,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -1205,7 +1133,7 @@ int main (int argc, char **argv)
5ab9c0
 		if (!fflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting user logged in",
5ab9c0
+			              "deleting-user-logged-in",
5ab9c0
 			              user_name, AUDIT_NO_ID,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -1282,8 +1210,8 @@ int main (int argc, char **argv)
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		else
5ab9c0
 		{
5ab9c0
-			audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-			              "deleting home directory",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "deleting-home-directory",
5ab9c0
 			              user_name, (unsigned int) user_id,
5ab9c0
 			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 		}
5ab9c0
@@ -1292,7 +1220,7 @@ int main (int argc, char **argv)
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 	if (0 != errors) {
5ab9c0
 		audit_logger (AUDIT_DEL_USER, Prog,
5ab9c0
-		              "deleting home directory",
5ab9c0
+		              "deleting-home-directory",
5ab9c0
 		              user_name, AUDIT_NO_ID,
5ab9c0
 		              SHADOW_AUDIT_FAILURE);
5ab9c0
 	}
5ab9c0
@@ -1305,8 +1233,8 @@ int main (int argc, char **argv)
5ab9c0
 			         _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
5ab9c0
 			         Prog, user_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-			              "removing SELinux user mapping",
5ab9c0
+			audit_logger (AUDIT_ROLE_REMOVE, Prog,
5ab9c0
+			              "delete-selinux-user-mapping",
5ab9c0
 			              user_name, (unsigned int) user_id,
5ab9c0
 			              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
diff -up shadow-4.6/src/usermod.c.audit-update shadow-4.6/src/usermod.c
5ab9c0
--- shadow-4.6/src/usermod.c.audit-update	2018-05-28 15:01:09.912717543 +0200
5ab9c0
+++ shadow-4.6/src/usermod.c	2018-05-28 15:08:25.424969050 +0200
5ab9c0
@@ -453,8 +453,8 @@ static char *new_pw_passwd (char *pw_pas
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "updating passwd",
5ab9c0
-		              user_newname, (unsigned int) user_newid, 0);
5ab9c0
+		              "updating-password",
5ab9c0
+		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO, "lock user '%s' password", user_newname));
5ab9c0
 		strcpy (buf, "!");
5ab9c0
@@ -473,8 +473,8 @@ static char *new_pw_passwd (char *pw_pas
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "updating password",
5ab9c0
-		              user_newname, (unsigned int) user_newid, 0);
5ab9c0
+		              "updating-password",
5ab9c0
+		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO, "unlock user '%s' password", user_newname));
5ab9c0
 		s = pw_pass;
5ab9c0
@@ -485,7 +485,7 @@ static char *new_pw_passwd (char *pw_pas
5ab9c0
 	} else if (pflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing password",
5ab9c0
+		              "updating-password",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO, "change user '%s' password", user_newname));
5ab9c0
@@ -514,8 +514,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 			fail_exit (E_NAME_IN_USE);
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing name",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-name",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -535,8 +535,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 
5ab9c0
 	if (uflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing uid",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-uid",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -546,8 +546,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 	}
5ab9c0
 	if (gflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing primary group",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-primary-group",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -557,8 +557,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 	}
5ab9c0
 	if (cflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing comment",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-comment",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		pwent->pw_gecos = user_newcomment;
5ab9c0
@@ -566,8 +566,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 
5ab9c0
 	if (dflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing home directory",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-home-dir",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -577,8 +577,8 @@ static void new_pwent (struct passwd *pw
5ab9c0
 	}
5ab9c0
 	if (sflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing user shell",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-shell",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -608,8 +608,8 @@ static void new_spent (struct spwd *spen
5ab9c0
 
5ab9c0
 	if (fflg) {
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing inactive days",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-inactive-days",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -625,8 +625,8 @@ static void new_spent (struct spwd *spen
5ab9c0
 		date_to_str (old_exp, sizeof(old_exp),
5ab9c0
 		             user_expire * DAY);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-		              "changing expiration date",
5ab9c0
+		audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+		              "changing-expiration-date",
5ab9c0
 		              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 #endif
5ab9c0
 		SYSLOG ((LOG_INFO,
5ab9c0
@@ -709,9 +709,9 @@ static /*@noreturn@*/void fail_exit (int
5ab9c0
 #endif				/* ENABLE_SUBIDS */
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-	audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-	              "modifying account",
5ab9c0
-	              user_name, AUDIT_NO_ID, 0);
5ab9c0
+	audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+	              "modify-account",
5ab9c0
+	              user_name, AUDIT_NO_ID, SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif
5ab9c0
 	exit (code);
5ab9c0
 }
5ab9c0
@@ -765,9 +765,12 @@ static void update_group (void)
5ab9c0
 					                         user_newname);
5ab9c0
 					changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-					              "changing group member",
5ab9c0
-					              user_newname, AUDIT_NO_ID, 1);
5ab9c0
+					audit_logger_with_group (
5ab9c0
+					              AUDIT_USER_MGMT, Prog,
5ab9c0
+					              "update-member-in-group",
5ab9c0
+					              user_newname, AUDIT_NO_ID,
5ab9c0
+					              ngrp->gr_name,
5ab9c0
+					              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 					SYSLOG ((LOG_INFO,
5ab9c0
 					         "change '%s' to '%s' in group '%s'",
5ab9c0
@@ -781,9 +784,11 @@ static void update_group (void)
5ab9c0
 				ngrp->gr_mem = del_list (ngrp->gr_mem, user_name);
5ab9c0
 				changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-				              "removing group member",
5ab9c0
-				              user_name, AUDIT_NO_ID, 1);
5ab9c0
+				audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+				              "delete-user-from-group",
5ab9c0
+				              user_name, AUDIT_NO_ID,
5ab9c0
+				              ngrp->gr_name,
5ab9c0
+				              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 				SYSLOG ((LOG_INFO,
5ab9c0
 				         "delete '%s' from group '%s'",
5ab9c0
@@ -796,9 +801,11 @@ static void update_group (void)
5ab9c0
 			ngrp->gr_mem = add_list (ngrp->gr_mem, user_newname);
5ab9c0
 			changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "adding user to group",
5ab9c0
-			              user_name, AUDIT_NO_ID, 1);
5ab9c0
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "add-user-to-group",
5ab9c0
+			              user_name, AUDIT_NO_ID,
5ab9c0
+			              ngrp->gr_name,
5ab9c0
+			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 			SYSLOG ((LOG_INFO, "add '%s' to group '%s'",
5ab9c0
 			         user_newname, ngrp->gr_name));
5ab9c0
@@ -873,9 +880,10 @@ static void update_gshadow (void)
5ab9c0
 			nsgrp->sg_adm = add_list (nsgrp->sg_adm, user_newname);
5ab9c0
 			changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "changing admin name in shadow group",
5ab9c0
-			              user_name, AUDIT_NO_ID, 1);
5ab9c0
+			audit_logger_with_group (AUDIT_GRP_MGMT, Prog,
5ab9c0
+			              "update-admin-name-in-shadow-group",
5ab9c0
+			              user_name, AUDIT_NO_ID, nsgrp->sg_name,
5ab9c0
+			              SHADOW_AUDIT_SUCCESS);
5ab9c0
 #endif
5ab9c0
 			SYSLOG ((LOG_INFO,
5ab9c0
 			         "change admin '%s' to '%s' in shadow group '%s'",
5ab9c0
@@ -895,9 +903,10 @@ static void update_gshadow (void)
5ab9c0
 					                          user_newname);
5ab9c0
 					changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-					              "changing member in shadow group",
5ab9c0
-					              user_name, AUDIT_NO_ID, 1);
5ab9c0
+					audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+					              "update-member-in-shadow-group",
5ab9c0
+					              user_name, AUDIT_NO_ID,
5ab9c0
+					              nsgrp->sg_name, 1);
5ab9c0
 #endif
5ab9c0
 					SYSLOG ((LOG_INFO,
5ab9c0
 					         "change '%s' to '%s' in shadow group '%s'",
5ab9c0
@@ -911,9 +920,10 @@ static void update_gshadow (void)
5ab9c0
 				nsgrp->sg_mem = del_list (nsgrp->sg_mem, user_name);
5ab9c0
 				changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-				              "removing user from shadow group",
5ab9c0
-				              user_name, AUDIT_NO_ID, 1);
5ab9c0
+				audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+				              "delete-user-from-shadow-group",
5ab9c0
+				              user_name, AUDIT_NO_ID,
5ab9c0
+				              nsgrp->sg_name, 1);
5ab9c0
 #endif
5ab9c0
 				SYSLOG ((LOG_INFO,
5ab9c0
 				         "delete '%s' from shadow group '%s'",
5ab9c0
@@ -926,9 +936,10 @@ static void update_gshadow (void)
5ab9c0
 			nsgrp->sg_mem = add_list (nsgrp->sg_mem, user_newname);
5ab9c0
 			changed = true;
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "adding user to shadow group",
5ab9c0
-			              user_newname, AUDIT_NO_ID, 1);
5ab9c0
+			audit_logger_with_group (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "add-user-to-shadow-group",
5ab9c0
+			              user_newname, AUDIT_NO_ID,
5ab9c0
+			              nsgrp->sg_name, 1);
5ab9c0
 #endif
5ab9c0
 			SYSLOG ((LOG_INFO, "add '%s' to shadow group '%s'",
5ab9c0
 			         user_newname, nsgrp->sg_name));
5ab9c0
@@ -1789,8 +1800,8 @@ static void move_home (void)
5ab9c0
 
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		if (uflg || gflg) {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-				      "changing home directory owner",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+				      "updating-home-dir-owner",
5ab9c0
 				      user_newname, (unsigned int) user_newid, 1);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
@@ -1808,8 +1819,8 @@ static void move_home (void)
5ab9c0
 				fail_exit (E_HOMEDIR);
5ab9c0
 			}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "moving home directory",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "moving-home-dir",
5ab9c0
 			              user_newname, (unsigned int) user_newid,
5ab9c0
 			              1);
5ab9c0
 #endif
5ab9c0
@@ -1828,9 +1839,9 @@ static void move_home (void)
5ab9c0
 						         Prog, prefix_user_home);
5ab9c0
 					}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-					audit_logger (AUDIT_USER_CHAUTHTOK,
5ab9c0
+					audit_logger (AUDIT_USER_MGMT,
5ab9c0
 					              Prog,
5ab9c0
-					              "moving home directory",
5ab9c0
+					              "moving-home-dir",
5ab9c0
 					              user_newname,
5ab9c0
 					              (unsigned int) user_newid,
5ab9c0
 					              1);
5ab9c0
@@ -2045,8 +2056,8 @@ static void move_mailbox (void)
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		else {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "changing mail file owner",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "updating-mail-file-owner",
5ab9c0
 			              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
@@ -2072,8 +2083,8 @@ static void move_mailbox (void)
5ab9c0
 		}
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 		else {
5ab9c0
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-			              "changing mail file name",
5ab9c0
+			audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+			              "updating-mail-file-name",
5ab9c0
 			              user_newname, (unsigned int) user_newid, 1);
5ab9c0
 		}
5ab9c0
 #endif
5ab9c0
@@ -2267,8 +2278,8 @@ int main (int argc, char **argv)
5ab9c0
 				         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
5ab9c0
 				         Prog, user_name, user_selinux);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-				              "modifying User mapping ",
5ab9c0
+				audit_logger (AUDIT_ROLE_ASSIGN, Prog,
5ab9c0
+				              "changing-selinux-user-mapping ",
5ab9c0
 				              user_name, (unsigned int) user_id,
5ab9c0
 				              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -2280,8 +2291,8 @@ int main (int argc, char **argv)
5ab9c0
 				         _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
5ab9c0
 				         Prog, user_name);
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
-				audit_logger (AUDIT_ADD_USER, Prog,
5ab9c0
-				              "removing SELinux user mapping",
5ab9c0
+				audit_logger (AUDIT_ROLE_REMOVE, Prog,
5ab9c0
+				              "delete-selinux-user-mapping",
5ab9c0
 				              user_name, (unsigned int) user_id,
5ab9c0
 				              SHADOW_AUDIT_FAILURE);
5ab9c0
 #endif				/* WITH_AUDIT */
5ab9c0
@@ -2319,8 +2330,8 @@ int main (int argc, char **argv)
5ab9c0
 			 */
5ab9c0
 #ifdef WITH_AUDIT
5ab9c0
 			if (uflg || gflg) {
5ab9c0
-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
5ab9c0
-					      "changing home directory owner",
5ab9c0
+				audit_logger (AUDIT_USER_MGMT, Prog,
5ab9c0
+					      "updating-home-dir-owner",
5ab9c0
 					      user_newname, (unsigned int) user_newid, 1);
5ab9c0
 			}
5ab9c0
 #endif