diff --git a/.audit.metadata b/.audit.metadata new file mode 100644 index 0000000..e27b1fc --- /dev/null +++ b/.audit.metadata @@ -0,0 +1 @@ +62fcac8cbd20c796b909b91f8f615f8556b22a24 SOURCES/audit-2.8.5.tar.gz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3859a24 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/audit-2.8.5.tar.gz diff --git a/SOURCES/audit-2.7.1-rhel7-fixup.patch b/SOURCES/audit-2.7.1-rhel7-fixup.patch new file mode 100644 index 0000000..d34cfb1 --- /dev/null +++ b/SOURCES/audit-2.7.1-rhel7-fixup.patch @@ -0,0 +1,21 @@ +diff -urp audit-2.7.1.orig/auparse/classify.c audit-2.7.1/auparse/classify.c +--- audit-2.7.1.orig/auparse/normalize.c 2016-12-21 19:00:51.000000000 -0500 ++++ audit-2.7.1/auparse/normalize.c 2016-12-22 12:22:21.259800153 -0500 +@@ -241,7 +241,7 @@ static void simple_file_attr(auparse_sta + switch (type) + { + case AUDIT_PATH: +- f = auparse_find_field(au, "nametype"); ++ f = auparse_find_field(au, "objtype"); + if (f && strcmp(f, "PARENT") == 0) { + if (parent == 0) + parent = auparse_get_record_num(au); +@@ -280,7 +280,7 @@ static void set_file_object(auparse_stat + + // Now double check that we picked the right one. + do { +- f = auparse_find_field(au, "nametype"); ++ f = auparse_find_field(au, "objtype"); + if (f) { + if (strcmp(f, "PARENT")) + break; diff --git a/SOURCES/audit-2.7.5-no-backlog-wait-time.patch b/SOURCES/audit-2.7.5-no-backlog-wait-time.patch new file mode 100644 index 0000000..8ffca7e --- /dev/null +++ b/SOURCES/audit-2.7.5-no-backlog-wait-time.patch @@ -0,0 +1,38 @@ +diff -ur audit-2.7.5.orig/docs/auditctl.8 audit-2.7.5/docs/auditctl.8 +--- audit-2.7.5.orig/docs/auditctl.8 2017-04-10 10:22:22.000000000 -0400 ++++ audit-2.7.5/docs/auditctl.8 2017-04-10 10:46:51.704436241 -0400 +@@ -10,9 +10,6 @@ + .BI \-b\ backlog + Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. + .TP +-.BI \-\-backlog_wait_time \ \fIwait_time\fP +-Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that 10 times the default value. +-.TP + .B \-c + Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load. + .TP +diff -ur audit-2.7.5.orig/docs/Makefile.in audit-2.7.5/docs/Makefile.in +--- audit-2.7.5.orig/docs/Makefile.in 2017-04-10 10:31:52.000000000 -0400 ++++ audit-2.7.5/docs/Makefile.in 2017-04-10 10:49:12.389447484 -0400 +@@ -373,7 +373,7 @@ + ausearch_next_event.3 ausearch_set_stop.3 \ + autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ + audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ +-augenrules.8 audit_set_backlog_wait_time.3 \ ++augenrules.8 \ + zos-remote.conf.5 + + all: all-am +diff -ur audit-2.7.5.orig/rules/10-base-config.rules audit-2.7.5/rules/10-base-config.rules +--- audit-2.7.5.orig/rules/10-base-config.rules 2017-04-10 10:22:22.000000000 -0400 ++++ audit-2.7.5/rules/10-base-config.rules 2017-04-10 10:47:56.555441424 -0400 +@@ -5,9 +5,6 @@ + ## Make this bigger for busy systems + -b 8192 + +-## This determine how long to wait in burst of events +---backlog_wait_time 0 +- + ## Set failure mode to syslog + -f 1 + diff --git a/SOURCES/audit-2.8.6-memleak.patch b/SOURCES/audit-2.8.6-memleak.patch new file mode 100644 index 0000000..77a3b40 --- /dev/null +++ b/SOURCES/audit-2.8.6-memleak.patch @@ -0,0 +1,20 @@ +diff --git a/auparse/auparse.c b/auparse/auparse.c +index 650db02..fe0feb1 100644 +--- a/auparse/auparse.c ++++ b/auparse/auparse.c +@@ -259,15 +259,6 @@ static event_list_t *au_get_ready_event(auparse_state_t *au, int is_test) + if (lowest && lowest->status == EBS_COMPLETE) { + lowest->status = EBS_EMPTY; + au->au_ready--; +- // Try to consolidate the array so that we iterate +- // over a smaller portion next time +- if (lowest == &lol->array[lol->maxi]) { +- au_lolnode *ptr = lowest; +- while (ptr->status == EBS_EMPTY && lol->maxi > 0) { +- lol->maxi--; +- ptr = &lol->array[lol->maxi]; +- } +- } + return lowest->l; + } + diff --git a/SOURCES/audit-3.0-avc.patch b/SOURCES/audit-3.0-avc.patch new file mode 100644 index 0000000..8af4ceb --- /dev/null +++ b/SOURCES/audit-3.0-avc.patch @@ -0,0 +1,96 @@ +diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c +--- audit-3.0.orig/src/ausearch-parse.c 2019-03-15 15:30:39.000000000 -0400 ++++ audit-3.0/src/ausearch-parse.c 2019-04-16 16:08:52.862402589 -0400 +@@ -49,7 +49,7 @@ static int parse_dir(const lnode *n, sea + static int common_path_parser(search_items *s, char *path); + static int avc_parse_path(const lnode *n, search_items *s); + static int parse_path(const lnode *n, search_items *s); +-static int parse_user(const lnode *n, search_items *s); ++static int parse_user(const lnode *n, search_items *s, anode *avc); + static int parse_obj(const lnode *n, search_items *s); + static int parse_login(const lnode *n, search_items *s); + static int parse_daemon1(const lnode *n, search_items *s); +@@ -105,7 +105,7 @@ int extract_search_items(llist *l) + case AUDIT_FIRST_USER_MSG...AUDIT_USER_END: + case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG: + case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2: +- ret = parse_user(n, s); ++ ret = parse_user(n, s, NULL); + break; + case AUDIT_SOCKADDR: + ret = parse_sockaddr(n, s); +@@ -830,7 +830,7 @@ static int parse_obj(const lnode *n, sea + return 0; + } + +-static int parse_user(const lnode *n, search_items *s) ++static int parse_user(const lnode *n, search_items *s, anode *avc) + { + char *ptr, *str, *term, saved, *mptr; + +@@ -915,7 +915,10 @@ static int parse_user(const lnode *n, se + if (term == NULL) + return 12; + *term = 0; +- if (audit_avc_init(s) == 0) { ++ if (avc) { ++ avc->scontext = strdup(str); ++ *term = ' '; ++ } else if (audit_avc_init(s) == 0) { + anode an; + + anode_init(&an); +@@ -926,6 +929,31 @@ static int parse_user(const lnode *n, se + return 13; + } + } ++ // optionally get tcontext ++ if (avc && event_object) { ++ // USER_AVC tcontext ++ str = strstr(term, "tcontext="); ++ if (str != NULL) { ++ str += 9; ++ term = strchr(str, ' '); ++ if (term) { ++ *term = 0; ++ avc->tcontext = strdup(str); ++ *term = ' '; ++ } ++ } ++ // Grab tclass if it exists ++ str = strstr(term, "tclass="); ++ if (str) { ++ str += 7; ++ term = strchr(str, ' '); ++ if (term) { ++ *term = 0; ++ avc->avc_class = strdup(str); ++ *term = ' '; ++ } ++ } ++ } + // optionally get gid + if (event_gid != -1) { + if (n->type == AUDIT_ADD_GROUP || n->type == AUDIT_DEL_GROUP || +@@ -1880,7 +1908,7 @@ static int parse_avc(const lnode *n, sea + other_avc: + // User AVC's are not formatted like a kernel AVC + if (n->type == AUDIT_USER_AVC) { +- rc = parse_user(n, s); ++ rc = parse_user(n, s, &an); + if (rc > 20) + rc = 0; + if (audit_avc_init(s) == 0) { +diff -urp audit-3.0.orig/src/ausearch-string.c audit-3.0/src/ausearch-string.c +--- audit-3.0.orig/src/ausearch-string.c 2019-03-15 15:30:39.000000000 -0400 ++++ audit-3.0/src/ausearch-string.c 2019-04-16 15:55:39.186487759 -0400 +@@ -118,6 +118,9 @@ int slist_add_if_uniq(slist *l, const ch + snode sn; + register snode *cur; + ++ if (str == NULL) ++ return -1; ++ + cur = l->head; + while (cur) { + if (strcmp(str, cur->str) == 0) { diff --git a/SOURCES/audit-3.0-cond-restart.patch b/SOURCES/audit-3.0-cond-restart.patch new file mode 100644 index 0000000..3ea2087 --- /dev/null +++ b/SOURCES/audit-3.0-cond-restart.patch @@ -0,0 +1,27 @@ +From 6f699797f43329e16fc89db97e1b95b0cc851860 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Tue, 9 Apr 2019 19:45:27 +0200 +Subject: [PATCH] Make conditional restart conditional again + +--- + init.d/auditd.condrestart | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/init.d/auditd.condrestart b/init.d/auditd.condrestart +index efbaaa8..d86e5e4 100644 +--- a/init.d/auditd.condrestart ++++ b/init.d/auditd.condrestart +@@ -2,6 +2,10 @@ + # Helper script to provide legacy auditd service options not + # directly supported by systemd. + +-/usr/libexec/initscripts/legacy-actions/auditd/restart +-RETVAL="$?" +-exit $RETVAL ++state=`service auditd status | awk '/^ Active/ { print $2 }'` ++if [ $state = "active" ] ; then ++ /usr/libexec/initscripts/legacy-actions/auditd/restart ++ RETVAL="$?" ++ exit $RETVAL ++fi ++exit 0 diff --git a/SPECS/audit.spec b/SPECS/audit.spec new file mode 100644 index 0000000..f14b8ec --- /dev/null +++ b/SPECS/audit.spec @@ -0,0 +1,521 @@ +%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")} + +Summary: User space tools for 2.6 kernel auditing +Name: audit +Version: 2.8.5 +Release: 4%{?dist} +License: GPLv2+ +Group: System Environment/Daemons +URL: http://people.redhat.com/sgrubb/audit/ +Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz +# This patch switches collecting nametype for objtype because RHEL is different +Patch1: audit-2.7.1-rhel7-fixup.patch +# DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel +Patch2: audit-2.7.5-no-backlog-wait-time.patch +Patch3: audit-2.8.6-memleak.patch +Patch4: audit-3.0-avc.patch +Patch5: audit-3.0-cond-restart.patch +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: openldap-devel +BuildRequires: swig +BuildRequires: python-devel +BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel +BuildRequires: kernel-headers >= 2.6.29 +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +BuildRequires: systemd-units +Requires(post): systemd-units systemd-sysv chkconfig coreutils +Requires(preun): systemd-units +Requires(postun): systemd-units coreutils + +%description +The audit package contains the user space utilities for +storing and searching the audit records generated by +the audit subsystem in the Linux 2.6 and later kernels. + +%package libs +Summary: Dynamic library for libaudit +License: LGPLv2+ +Group: Development/Libraries + +%description libs +The audit-libs package contains the dynamic libraries needed for +applications to use the audit framework. + +%package libs-devel +Summary: Header files for libaudit +License: LGPLv2+ +Group: Development/Libraries +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: kernel-headers >= 2.6.29 + +%description libs-devel +The audit-libs-devel package contains the header files needed for +developing applications that need to use the audit framework libraries. + +%package libs-static +Summary: Static version of libaudit library +License: LGPLv2+ +Group: Development/Libraries +Requires: kernel-headers >= 2.6.29 + +%description libs-static +The audit-libs-static package contains the static libraries +needed for developing applications that need to use static audit +framework libraries + +%package libs-python +Summary: Python bindings for libaudit +License: LGPLv2+ +Group: Development/Libraries +Requires: %{name}-libs%{?_isa} = %{version}-%{release} + +%description libs-python +The audit-libs-python package contains the bindings so that libaudit +and libauparse can be used by python. + +%package -n audispd-plugins +Summary: Plugins for the audit event dispatcher +License: GPLv2+ +Group: System Environment/Daemons +Requires: %{name} = %{version}-%{release} +Requires: %{name}-libs%{?_isa} = %{version}-%{release} +Requires: openldap + +%description -n audispd-plugins +The audispd-plugins package provides plugins for the real-time +interface to the audit system, audispd. These plugins can do things +like relay events to remote machines. + +%prep +%setup -q +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 + +%build +%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \ + --with-libwrap --enable-gssapi-krb5=yes \ + --with-libcap-ng=yes --with-arm --with-aarch64 \ + --enable-zos-remote --without-golang --enable-systemd + +make CFLAGS="%{optflags}" %{?_smp_mflags} + +%install +rm -rf $RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d,etc/audit/rules.d} +mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8} +mkdir -p $RPM_BUILD_ROOT/%{_lib} +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit +mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit +mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit +make DESTDIR=$RPM_BUILD_ROOT install + +mkdir -p $RPM_BUILD_ROOT/%{_libdir} +# This winds up in the wrong place when libtool is involved +mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir} +mv $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir} +curdir=`pwd` +cd $RPM_BUILD_ROOT/%{_libdir} +LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\`` +ln -s ../../%{_lib}/$LIBNAME libaudit.so +LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.0.*.*\`` +ln -s ../../%{_lib}/$LIBNAME libauparse.so +cd $curdir +# Remove these items so they don't get picked up. +rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so +rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so + +find $RPM_BUILD_ROOT -name '*.la' -delete +find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete + +# Move the pkgconfig file +mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir} + +# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp +touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf +touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz + +%check +%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86} +make check +%endif +# Get rid of make files that they don't get packaged. +rm -f rules/Makefile* + + +%clean +rm -rf $RPM_BUILD_ROOT + +%post libs -p /sbin/ldconfig + +%post +# Copy default rules into place on new installation +files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w` +if [ "$files" -eq 0 ] ; then + if [ -e /usr/share/doc/audit-%{version}/rules/10-base-config.rules ] ; then + cp /usr/share/doc/audit-%{version}/rules/10-base-config.rules /etc/audit/rules.d/audit.rules + else + touch /etc/audit/rules.d/audit.rules + fi + chmod 0600 /etc/audit/rules.d/audit.rules +fi +%systemd_post auditd.service + +%preun +%systemd_preun auditd.service +if [ $1 -eq 0 ]; then + /sbin/service auditd stop > /dev/null 2>&1 +fi + +%postun libs -p /sbin/ldconfig + +%postun +if [ $1 -ge 1 ]; then + /sbin/service auditd condrestart > /dev/null 2>&1 || : +fi + +%files libs +%defattr(-,root,root,-) +/%{_lib}/libaudit.so.1* +/%{_lib}/libauparse.* +%config(noreplace) %attr(640,root,root) /etc/libaudit.conf +%{_mandir}/man5/libaudit.conf.5.gz + +%files libs-devel +%defattr(-,root,root,-) +%doc contrib/skeleton.c contrib/plugin +%{_libdir}/libaudit.so +%{_libdir}/libauparse.so +%{_includedir}/libaudit.h +%{_includedir}/auparse.h +%{_includedir}/auparse-defs.h +%{_datadir}/aclocal/audit.m4 +%{_libdir}/pkgconfig/audit.pc +%{_libdir}/pkgconfig/auparse.pc +%{_mandir}/man3/* + +%files libs-static +%defattr(-,root,root,-) +%{_libdir}/libaudit.a +%{_libdir}/libauparse.a + +%files libs-python +%defattr(-,root,root,-) +%attr(755,root,root) %{python_sitearch}/_audit.so +%attr(755,root,root) %{python_sitearch}/auparse.so +%{python_sitearch}/audit.py* + +%files +%defattr(-,root,root,-) +%doc README COPYING ChangeLog rules init.d/auditd.cron +%attr(644,root,root) %{_mandir}/man8/audispd.8.gz +%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz +%attr(644,root,root) %{_mandir}/man8/auditd.8.gz +%attr(644,root,root) %{_mandir}/man8/aureport.8.gz +%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz +%attr(644,root,root) %{_mandir}/man8/autrace.8.gz +%attr(644,root,root) %{_mandir}/man8/aulast.8.gz +%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz +%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz +%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz +%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz +%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz +%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz +%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz +%attr(755,root,root) /sbin/auditctl +%attr(755,root,root) /sbin/auditd +%attr(755,root,root) /sbin/ausearch +%attr(755,root,root) /sbin/aureport +%attr(750,root,root) /sbin/autrace +%attr(755,root,root) /sbin/audispd +%attr(755,root,root) /sbin/augenrules +%attr(755,root,root) %{_bindir}/aulast +%attr(755,root,root) %{_bindir}/aulastlog +%attr(755,root,root) %{_bindir}/ausyscall +%attr(755,root,root) %{_bindir}/auvirt +%attr(644,root,root) %{_unitdir}/auditd.service +%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/reload +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/state +%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop +%ghost %{_localstatedir}/run/auditd.state +%attr(-,root,-) %dir %{_var}/log/audit +%attr(750,root,root) %dir /etc/audit +%attr(750,root,root) %dir /etc/audit/rules.d +%attr(750,root,root) %dir /etc/audisp +%attr(750,root,root) %dir /etc/audisp/plugins.d +%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf +%ghost %config(noreplace) %attr(600,root,root) /etc/audit/rules.d/audit.rules +%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules +%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules +%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf + +%files -n audispd-plugins +%defattr(-,root,root,-) +%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz +%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf +%attr(750,root,root) /sbin/audispd-zos-remote +%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf +%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf +%attr(750,root,root) /sbin/audisp-remote +%attr(700,root,root) %dir %{_var}/spool/audit +%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz +%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz + +%changelog +* Mon May 06 2019 Steve Grubb 2.8.5-4 +resolves: #1696709 - updating auditd is enabling disabled service + +* Sun May 05 2019 Steve Grubb 2.8.5-3 +resolves: #1705376 - aureport aborts when using a specific input + +* Wed Mar 27 2019 Steve Grubb 2.8.5-2 +resolves: #1651761 - Fix memory leak reported upstream + +* Tue Mar 05 2019 Steve Grubb 2.8.5-1 +resolves: #1651761 - Rebase audit package to 2.8.5 to pick up bug fixes +resolves: #1462178 - audit rule arch changed from b32 to b64 on ppc64le +resolves: #1614833 - audispd loops reloading config +resolves: #1622194 - audisp-remote memory leak when using krb5 +resolves: #1625156 - audisp-remote wont connect if remote ending action not reconnect +resolves: #1628626 - aureport -a --failed does not display user_avc events +resolves: #1648005 - tcp listener socket fails when ipv6.disable=1 boot command +resolves: #1650670 - space left in auditd.conf expressed as a percentage +resolves: #1663285 - ausearch device/inode missing when using a single file +resolves: #1672287 - max_log_file_action "keep_logs" doesn't behave as described + +* Tue Jul 17 2018 Steve Grubb 2.8.4-4 +resolves: #1559032 - Rebase audit package to 2.8.4 to pick up bug fixes + +* Wed Jun 27 2018 Steve Grubb 2.8.4-3 +resolves: #1587995 - auditd sometimes in failed state after boot + +* Tue Jun 26 2018 Steve Grubb 2.8.4-2 +resolves: #1559032 - Fix a segfault on shutdown + +* Wed Jun 20 2018 Steve Grubb 2.8.4-1 +resolves: #1559032 - Rebase audit package to 2.8.4 to pick up bug fixes +resolves: #1573889 - auditd busy loop in rotate_logs() with num_logs < 2 +resolves: #1534748 - incorrect addr field when using IPv6 for remote logging +resolves: #1515903 - ausearch-expression man page missing \timestamp_ex +resolves: #1511606 - aureport AVC report header is incomplete +resolves: #1504251 - make auditd dump internal state for log writing status + +* Tue Dec 12 2017 Steve Grubb 2.8.1-3 +resolves: #1399314 - Allow non-equality comparisons for uid and gid fields + +* Mon Nov 06 2017 Steve Grubb 2.8.1-2 +resolves: #1508965 - Need to rebuild rpm to remove static relocations + +* Thu Oct 12 2017 Steve Grubb 2.8.1-1 +resolves: #982154 - Can't find the "avc" event with the auvirt command +resolves: #1101605 - Ipv6 seems no working +resolves: #1399314 - Allow non-equality comparisons for uid and gid fields +resolves: #1455598 - Default port is wrong in audisp-remote.conf +resolves: #1476406 - Audit package rebase + +* Mon Sep 18 2017 Steve Grubb 2.7.8-1 +resolves: #1406887 - auditd validate_email uses obsolete gethostbyname +resolves: #1448526 - aureport shows the wrong auid "-1" +resolves: #1475998 - python audit crash if when using AUSOURCE_FILE_POINTER +resolves: #1482121 - python audit crash dereferencing auparse_state_t le field + +* Mon Jun 12 2017 Steve Grubb 2.7.6-3 +resolves: #1460110 - aureport does not report all anomalies + +* Fri May 26 2017 Steve Grubb 2.7.6-2 +resolves: #1455594 - Bad configuration keyword for audispd-remote.conf + +* Wed Apr 19 2017 Steve Grubb 2.7.6-1 +resolves: #1443107 - disk full action and infinite loop in audit-remote + +* Mon Apr 10 2017 Steve Grubb 2.7.5-1 +resolves: #1437187 - audit rpm postinstall script points to non-existing file +resolves: #1437426 - Remove "--backlog_wait_time" from auditctl man page & rules +resolves: #1437626 - PF_PACKET socket address will cause ausearch to segfault +resolves: #1438997 - SECCOMP records have wrong syscall + +* Tue Mar 28 2017 Steve Grubb 2.7.4-1 +resolves: #1367703 - auvirt wasn't supporting date keywords +resolves: #1396792 - augenrules includes files ending in regexp "rules" +resolves: #1406525 - ausearch with '--raw' parameter outputs garbage character + +* Tue Feb 28 2017 Steve Grubb 2.7.3-1 +resolves: #1381601 - audit package update +resolves: #1382381 - typo in package description + +* Fri Jan 20 2017 Steve Grubb 2.6.5-4 +resolves: #1382397 - write_logs option is not correctly handled +resolves: #1414812 - Setting log_format to NOLOG make auditd core dump + +* Wed Aug 10 2016 Steve Grubb 2.6.5-3 +resolves: #1296204 - Rebase audit package + +* Wed Jan 14 2015 Steve Grubb 2.4.1-5 +resolves: #1180675 - rules with "-F arch=ppc64le" fail to load + +* Tue Jan 13 2015 Steve Grubb 2.4.1-4 +- Remove golang bindings added under the following bz +resolves: #1115196 - Add golang bindings for libaudit + +* Wed Dec 17 2014 Steve Grubb 2.4.1-2 +resolves: #1173160 - Audit package needs update for new VPN crypto events + +* Tue Oct 28 2014 Steve Grubb 2.4.1-1 +resolves: #963353 - aarch64 userspace auditing needs to be written +resolves: #1150202 - perf trace sleep 1 does not list any syscall information +resolves: #1142989 - Update audit package to 2.4.1 +resolves: #1155221 - adjust fstatat naming to match kernel uapi + +* Thu Sep 18 2014 Steve Grubb 2.4-1 +resolves: #1115196 - Add golang bindings for libaudit +resolves: #1105150 - audispd config file parser fails on long input +resolves: #1104973 - auparse truncating selinux context after first category +resolves: #1088593 - auditctl man page examples use deprecated syscalls +resolves: #1087849 - support for setting loginuid immutable +resolves: #1073063 - AUDIT_SECCOMP events syscall field is not interpretted +resolves: #975796 - confusing aulast records for bad logins + +* Tue Mar 18 2014 Steve Grubb 2.3.3-4 +resolves: #1077249 - Audit update, various issues + +* Fri Jan 24 2014 Daniel Mach - 2.3.3-3 +- Mass rebuild 2014-01-24 + +* Mon Jan 20 2014 Steve Grubb 2.3.3-2 +- New upstream bugfix/enhancement release +resolves: #1053804 - ausearch issues found by ausearch-test +resolves: #1030409 - ausearch help typo for "-x" option + +* Fri Dec 27 2013 Daniel Mach - 2.3.2-4 +- Mass rebuild 2013-12-27 + +* Thu Oct 03 2013 Steve Grubb 2.3.2-3 +resolves: #828495 - semanage port should generate an audit event + +* Thu Aug 29 2013 Steve Grubb 2.3.2-2 +resolves: #991056 - ausearch ignores USER events with -ua option + +* Mon Jul 29 2013 Steve Grubb 2.3.2-1 +- New upstream bugfix/enhancement release +resolves: #982112 Add delay between stopping and starting auditd + +* Wed Jul 10 2013 Steve Grubb 2.3.1-4 +resolves: #982112 Add delay between stopping and starting auditd + +* Wed Jul 03 2013 Steve Grubb 2.3.1-3 +- Remove prelude support + +* Fri May 31 2013 Steve Grubb 2.3.1-2 +- Fix unknown lvalue in auditd.service (#969345) + +* Thu May 30 2013 Steve Grubb 2.3.1-1 +- New upstream bugfix/enhancement release + +* Fri May 03 2013 Steve Grubb 2.3-2 +- If no rules exist, copy shipped rules into place + +* Tue Apr 30 2013 Steve Grubb 2.3-1 +- New upstream bugfix release + +* Thu Mar 21 2013 Steve Grubb 2.2.3-2 +- Fix clone syscall interpretation + +* Tue Mar 19 2013 Steve Grubb 2.2.3-1 +- New upstream bugfix release + +* Wed Feb 13 2013 Fedora Release Engineering - 2.2.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 16 2013 Steve Grubb 2.2.2-4 +- Don't make auditd.service file executable (#896113) + +* Fri Jan 11 2013 Steve Grubb 2.2.2-3 +- Do not own /usr/lib64/audit + +* Wed Dec 12 2012 Steve Grubb 2.2.2-2 +- New upstream release + +* Wed Jul 18 2012 Fedora Release Engineering - 2.2.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Fri Mar 23 2012 Steve Grubb 2.2.1-1 +- New upstream release + +* Thu Mar 1 2012 Steve Grubb 2.2-1 +- New upstream release + +* Thu Jan 12 2012 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Sep 15 2011 Adam Williamson 2.1.3-4 +- add in some systemd scriptlets that were missed, including one which + will cause auditd to be enabled on upgrade from pre-systemd builds + +* Wed Sep 14 2011 Steve Grubb 2.1.3-3 +- Enable by default (#737060) + +* Tue Aug 30 2011 Steve Grubb 2.1.3-2 +- Correct misplaced ifnarch (#734359) + +* Mon Aug 15 2011 Steve Grubb 2.1.3-1 +- New upstream release + +* Tue Jul 26 2011 Jóhann B. Guðmundsson - 2.1.2-2 +- Introduce systemd unit file, drop SysV support + +* Sat Jun 11 2011 Steve Grubb 2.1.2-1 +- New upstream release + +* Wed Apr 20 2011 Steve Grubb 2.1.1-1 +- New upstream release + +* Tue Mar 29 2011 Steve Grubb 2.1-1 +- New upstream release + +* Mon Feb 07 2011 Fedora Release Engineering - 2.0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Feb 04 2011 Steve Grubb 2.0.6-1 +- New upstream release + +* Thu Jan 20 2011 Karsten Hopp 2.0.5-2 +- bump and rebuild as 2.0.5-1 was erroneously linked with python-2.6 on ppc + +* Tue Nov 02 2010 Steve Grubb 2.0.5-1 +- New upstream release + +* Wed Jul 21 2010 David Malcolm - 2.0.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild + +* Tue Feb 16 2010 Adam Jackson 2.0.4-3 +- audit-2.0.4-add-needed.patch: Fix FTBFS for --no-add-needed + +* Fri Jan 29 2010 Steve Grubb 2.0.4-2 +- Split out static libs (#556039) + +* Tue Dec 08 2009 Steve Grubb 2.0.4-1 +- New upstream release + +* Sat Oct 17 2009 Steve Grubb 2.0.3-1 +- New upstream release + +* Fri Oct 16 2009 Steve Grubb 2.0.2-1 +- New upstream release + +* Mon Sep 28 2009 Steve Grubb 2.0.1-1 +- New upstream release + +* Fri Aug 21 2009 Steve Grubb 2.0-3 +- New upstream release