diff --git a/audit-3.0.3.tar.gz b/audit-3.0.3.tar.gz
deleted file mode 100644
index 02b03b8..0000000
--- a/audit-3.0.3.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904
-size 1186684
diff --git a/audit-3.0.5.tar.gz b/audit-3.0.5.tar.gz
new file mode 100644
index 0000000..266579e
--- /dev/null
+++ b/audit-3.0.5.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23bcc88de1b4b94eedfcab9ef805269f073fe8766305e90e361fc58dac328340
+size 595279
diff --git a/audit-ausearch-do-not-require-tclass.patch b/audit-ausearch-do-not-require-tclass.patch
index db54e5d..251860c 100644
--- a/audit-ausearch-do-not-require-tclass.patch
+++ b/audit-ausearch-do-not-require-tclass.patch
@@ -11,7 +11,7 @@ Signed-off-by: Tony Jones <tonyj@suse.de>
 
 --- a/src/ausearch-parse.c
 +++ b/src/ausearch-parse.c
-@@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea
+@@ -2061,17 +2061,15 @@ other_avc:
  
  	// Now get the class...its at the end, so we do things different
  	str = strstr(term, "tclass=");
diff --git a/audit-secondary.changes b/audit-secondary.changes
index d9d143f..e947c94 100644
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@@ -1,3 +1,32 @@
+-------------------------------------------------------------------
+Mon Sep 20 02:06:44 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Fix hardened auditd.service (bsc#1181400)
+  * add fix-hardened-service.patch
+    Make /etc/audit read-write from the service.
+    Remove PrivateDevices=true to expose /dev/* to auditd.service.
+
+- Enable stop rules for audit.service (cf. bsc#1190227)
+  * add enable-stop-rules.patch
+
+-------------------------------------------------------------------
+Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Change default log_format from ENRICHED to RAW (bsc#1190500):
+  * add change-default-log_format.patch (SUSE-specific patch)
+
+- Update to version 3.0.5:
+  * In auditd, flush uid/gid caches when user/group added/deleted/modified
+  * Fixed various issues when dealing with corrupted logs
+  * In auditd, check if log_file is valid before closing handle
+
+- Include fixed from 3.0.4:
+  * Apply performance speedups to auparse library
+  * Optimize rule loading in auditctl
+  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
+  * Update syscall table to the 5.14 kernel
+  * Fixed various issues when dealing with corrupted logs
+
 -------------------------------------------------------------------
 Mon Aug 16 13:29:21 UTC 2021 - Marcus Meissner <meissner@suse.com>
 
diff --git a/audit-secondary.spec b/audit-secondary.spec
index f1366ed..a1821dd 100644
--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        3.0.3
+Version:        3.0.5
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -37,6 +37,9 @@ Patch4:         audit-ausearch-do-not-require-tclass.patch
 Patch5:         change-default-log_group.patch
 Patch6:         libev-werror.patch
 Patch7:         harden_auditd.service.patch
+Patch8:         change-default-log_format.patch
+Patch9:         fix-hardened-service.patch
+Patch10:        enable-stop-rules.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  gcc-c++
@@ -129,6 +132,9 @@ rm -rf audisp/plugins/prelude
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
 
 %if %{without python2} && %{with python3}
 # Fix python env call in tests if we only have Python3.
diff --git a/audit.changes b/audit.changes
index fe83d86..c8db949 100644
--- a/audit.changes
+++ b/audit.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Sep 16 03:46:19 UTC 2021 - Enzo Matsumiya <ematsumiya@suse.com>
+
+- Update to version 3.0.5:
+  * In auditd, flush uid/gid caches when user/group added/deleted/modified
+  * Fixed various issues when dealing with corrupted logs
+  * In auditd, check if log_file is valid before closing handle
+
+- Include fixed from 3.0.4:
+  * Apply performance speedups to auparse library
+  * Optimize rule loading in auditctl
+  * Fix an auparse memory leak caused by glibc-2.33 by replacing realpath
+  * Update syscall table to the 5.14 kernel
+  * Fixed various issues when dealing with corrupted logs
+
 -------------------------------------------------------------------
 Fri Jul 30 18:14:14 CEST 2021 - Enzo Matsumiya <ematsumiya@suse.com>
 
diff --git a/audit.spec b/audit.spec
index 2df0023..d1972f7 100644
--- a/audit.spec
+++ b/audit.spec
@@ -17,7 +17,7 @@
 
 
 Name:           audit
-Version:        3.0.3
+Version:        3.0.5
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
diff --git a/change-default-log_format.patch b/change-default-log_format.patch
new file mode 100644
index 0000000..a829bdf
--- /dev/null
+++ b/change-default-log_format.patch
@@ -0,0 +1,28 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: auditd.conf: change default log_format
+References: bsc#1190500
+
+Upstream commit bf1270cfe ("change default logging format and update roadmap")
+changed the default log_format from RAW to ENRICHED.
+
+This causes non-audit tools to not interpret the GS character (group separator,
+0x1d) that splits the raw data from the enriched data, causing it to be visually
+concatenated.
+
+Since a candidate patch to change this was rejected by upstream, we change
+the default log_format back to RAW instead, to avoid confusion on customers'
+environments.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.conf
++++ b/init.d/auditd.conf
+@@ -6,7 +6,7 @@ local_events = yes
+ write_logs = yes
+ log_file = /var/log/audit/audit.log
+ log_group = audit
+-log_format = ENRICHED
++log_format = RAW
+ flush = INCREMENTAL_ASYNC
+ freq = 50
+ max_log_file = 8
diff --git a/enable-stop-rules.patch b/enable-stop-rules.patch
new file mode 100644
index 0000000..7e0ea7e
--- /dev/null
+++ b/enable-stop-rules.patch
@@ -0,0 +1,24 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: init.d/auditd.service: enable ExecStopPost directive in auditd.service
+References: bsc#1190227
+
+This has caused confusion for customers when relating stopping auditd service
+is the same as stopping system auditing. This is completely understandable, but
+it's by design, so kauditd can keep filling its queues for any other userspace
+daemon to consume.
+
+Disable audit when auditd.service stops, so kauditd stops logging/running.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -25,7 +25,7 @@ ExecStartPost=-/sbin/augenrules --load
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
++ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
+ 
+ ### Security Settings ###
+ MemoryDenyWriteExecute=true
diff --git a/fix-hardened-service.patch b/fix-hardened-service.patch
new file mode 100644
index 0000000..34f97c1
--- /dev/null
+++ b/fix-hardened-service.patch
@@ -0,0 +1,30 @@
+From: Enzo Matsumiya <ematsumiya@suse.de>
+Subject: init.d/auditd.service: make /etc/audit writable
+References: bsc#1181400
+
+systemd hardening effort (bsc#1181400) broke auditd.service when starting/
+restarting it. This was because auditd couldn't save/create audit.rules from
+/etc/audit/rules.d/* files.
+
+Make /etc/audit writable for the service.
+
+Also remove PrivateDevices=true so /dev/* are exposed to auditd.
+
+Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
+
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -37,12 +37,12 @@ RestrictRealtime=true
+ # added automatically, for details please see
+ # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ ProtectSystem=full
+-PrivateDevices=true
+ ProtectHostname=true
+ ProtectClock=true
+ ProtectKernelTunables=true
+ ProtectKernelLogs=true
+ # end of automatic additions 
++ReadWritePaths=/etc/audit
+ 
+ [Install]
+ WantedBy=multi-user.target
diff --git a/harden_auditd.service.patch b/harden_auditd.service.patch
index fb927fd..8dc1528 100644
--- a/harden_auditd.service.patch
+++ b/harden_auditd.service.patch
@@ -1,8 +1,6 @@
-Index: audit-3.0.3/init.d/auditd.service
-===================================================================
---- audit-3.0.3.orig/init.d/auditd.service
-+++ audit-3.0.3/init.d/auditd.service
-@@ -35,6 +35,15 @@ ProtectControlGroups=true
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -34,6 +34,15 @@ ProtectControlGroups=true
  ProtectKernelModules=true
  ProtectHome=true
  RestrictRealtime=true