audit-4.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bf422d4126ab77a92a4c3ac39de5473f278dc3de35724d2518a48c7be15d54d8
-size 1179876

audit-allow-manual-stop.patch

@@ -11,13 +11,15 @@ SUSE since we lack the ability to use a custom stop/restart
  init.d/auditd.service |    1 -
  1 file changed, 1 deletion(-)
 
---- a/init.d/auditd.service
+Index: audit-3.0.9/init.d/auditd.service
-+++ b/init.d/auditd.service
+===================================================================
-@@ -14,7 +14,6 @@ After=local-fs.target systemd-tmpfiles-s
+--- audit-3.0.9.orig/init.d/auditd.service
++++ audit-3.0.9/init.d/auditd.service
+@@ -11,7 +11,6 @@ After=local-fs.target systemd-tmpfiles-s
  Before=sysinit.target shutdown.target
  ##Before=shutdown.target
  Conflicts=shutdown.target
 -RefuseManualStop=yes
- 
+ ConditionKernelCommandLine=!audit=0
- Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+ ConditionKernelCommandLine=!audit=off
  

audit-secondary.changes

@@ -1,89 +1,3 @@
--------------------------------------------------------------------
-Fri Oct  4 16:06:06 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Update audit.spec (bsc#1231236):
-  * add requirement for 'awk' package
-  * move some %post logic from audit to audit-rules
-
--------------------------------------------------------------------
-Wed Oct  2 11:15:07 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Readd audit-allow-manual-stop.patch (removed by mistake)
-
--------------------------------------------------------------------
-Tue Oct  1 14:43:13 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Fix plugin termination when using systemd service units (bsc#1215377)
-  * add auditd.service-fix-plugin-termination.patch
-
--------------------------------------------------------------------
-Thu Sep 26 16:51:29 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Update audit-secondary.spec:
-  * Add "Requires: audit-rules" for audit package
-  * Remove preun/postun handling of audit-rules.service
-
--------------------------------------------------------------------
-Tue Sep 17 18:23:15 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Update to 4.0
-  - Drop python2 support
-  - Drop auvirt and autrace programs
-  - Drop SysVinit support
-  - Require the use of the 5.0 or later kernel headers
-  - New README.md file
-  - Rewrite legacy service functions in terms of systemctl
-  - Consolidate and update end of event detection to a common function
-  - Split off rule loading from auditd.service into audit-rules.service
-  - Refactor libaudit.h to split out logging functions and record numbers
-  - Speed up aureport --summary reports
-  - Limit libaudit python bindings to logging functions
-  - Add a metrics function for auparse
-  - Change auditctl to use pidfd_send_signal for signaling auditd
-  - Adjust watches to optimize syscalls hooked when watch file access
-  - Drop nispom rules
-  - Add intepretations for fsconfig, fsopen, fsmount, & move_mount
-  - Many code fixups (cgzones)
-  - Update syscall and interpretation tables to the 6.8 kernel
-  (from v3.1.2)
-  - When processing a run level change, make auditd exit
-  - In auditd, fix return code when rules added in immutable mode
-  - In auparse, when files are given, also consider EUID for access
-  - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
-  - Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
-  - Update all lookup tables for the 6.5 kernel
-  - Don't be as paranoid about auditctl -R file permissions
-  - In ausearch, correct subject/object search to be an and if both are given
-  - Adjust formats for 64 bit time_t
-  - Fix segfault in python bindings around the feed API
-  - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings
-
-- Update spec:
-  * Move rules-related files into new subpackage `audit-rules':
-    * Files moved:
-	- /sbin/auditctl, /sbin/augenrules,
-	  /etc/audit/{audit.rules,rules.d/audit.rules,audit-stop.rules}
-	- manpages for auditctl, augenrules, and audit.rules
-	- /etc/audit is now owned by `audit-rules' as well
-    * Add new file /usr/lib/systemd/system/audit-rules.service
-    * Remove in-house create-augenrules-service.patch that generated
-      augenrules.service systemd unit service
-    * Remove ownership of /usr/share/audit
-    * Create /usr/share/audit-rules directory on %install
-  * Remove audit-userspace-517-compat.patch (fixed upstream)
-  * Remove libev-werror.patch (fixed upstream)
-  * Remove audit-allow-manual-stop.patch (fixed upstream)
-  * Add fix-auparse-test.patch (downstream):
-    Upstream tests uses a static value (42) for 'gdm' uid/gid (based
-    on Fedora values, apparently).  Replace these occurrences with
-    'unknown(123456)'
-  * Replace '--with-python' with '--with-python3' on %configure
-  * Remove autrace and auvirt references (upstream)
-  * Replace README with README.md
-- Drop `--enable-systemd' from %configure as SysV-style scripts
-  aren't supported in upstream since
-  113ae191758c ("Drop support for SysVinit")
-
 -------------------------------------------------------------------
 Mon Aug  5 08:50:50 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 

audit-secondary.spec

@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        4.0
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -32,15 +32,16 @@ Source0:        https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.g
 Source1:        system-group-audit.conf
 Patch1:         audit-plugins-path.patch
 Patch2:         audit-no-gss.patch
-Patch3:         audit-ausearch-do-not-require-tclass.patch
+Patch3:         audit-allow-manual-stop.patch
-Patch4:         change-default-log_group.patch
+Patch4:         audit-ausearch-do-not-require-tclass.patch
-Patch5:         harden_auditd.service.patch
+Patch5:         change-default-log_group.patch
-Patch6:         change-default-log_format.patch
+Patch6:         libev-werror.patch
-Patch7:         fix-hardened-service.patch
+Patch7:         harden_auditd.service.patch
-Patch8:         enable-stop-rules.patch
+Patch8:         change-default-log_format.patch
-Patch9:         fix-auparse-test.patch
+Patch9:         fix-hardened-service.patch
-Patch10:        auditd.service-fix-plugin-termination.patch
+Patch10:        enable-stop-rules.patch
-Patch11:        audit-allow-manual-stop.patch
+Patch11:        create-augenrules-service.patch
+Patch12:        audit-userspace-517-compat.patch
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  kernel-headers >= 2.6.30
@@ -70,7 +71,6 @@ Summary:        User Space Tools for Kernel Auditing
 License:        LGPL-2.1-or-later
 Group:          System/Monitoring
 Requires:       %{_name}-libs = %{version}
-Requires:       %{_name}-rules = %{version}
 Requires:       coreutils
 Requires:       group(audit)
 %{?systemd_ordering}
@@ -80,20 +80,10 @@ The audit package contains the user space utilities for storing and
 processing the audit records generated by the audit subsystem in the
 Linux kernel.
 
-%package -n	audit-rules
-Summary:        Rules and utilities for audit
-License:        LGPL-2.1-or-later
-Requires:       gawk
-Recommends:     audit = %{version}-%{release}
-
-%description -n audit-rules
-The audit rules package contains the rules and utilities to load audit rules.
-
 %package -n     system-group-audit
 Summary:        System group 'audit'
 License:        LGPL-2.1-or-later
 Group:          System/Fhs
-BuildArch:      noarch
 %sysusers_requires
 
 %description -n system-group-audit
@@ -158,6 +148,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %ifarch arm
 	--with-arm \
 %endif
+	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{_name} \
 	--with-apparmor \
 	--with-libwrap \
@@ -171,8 +162,7 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %sysusers_generate_pre %{SOURCE1} audit system-group-audit.conf
 
 %install
-# Set $PYTHON3 here so py-compile works correctly on distros that doesn't ship /usr/bin/python
+%make_install
-%make_install PYTHON3=$(realpath %__python3)
 
 mkdir -p %{buildroot}%{_localstatedir}/log/audit/
 touch %{buildroot}%{_localstatedir}/log/audit/audit.log
@@ -183,8 +173,7 @@ install -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/
 # post copy runs
 mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/
 mkdir -p %{buildroot}%{_sysconfdir}/%{_name}/rules.d/
-mkdir -p %{buildroot}%{_datadir}/%{_name}-rules
+touch %{buildroot}%{_sysconfdir}/{auditd.conf,audit.rules} %{buildroot}%{_sysconfdir}/audit/auditd.conf
-touch %{buildroot}%{_sysconfdir}/audit/{auditd.conf,audit.rules}
 # On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
 touch -r ./audit.spec %{buildroot}%{_sysconfdir}/libaudit.conf
 # Starting with audit 2.5 no config is installed so start with no rules
@@ -212,7 +201,7 @@ rm -rf %{buildroot}/%{_mandir}/man3
 #USR-MERGE
 %if 0%{?suse_version} < 1550
 mkdir %{buildroot}/sbin/
-for prog in auditctl auditd ausearch aureport augenrules; do
+for prog in auditctl auditd ausearch autrace aureport augenrules; do
   ln -s %{_sbindir}/$prog %{buildroot}/sbin/$prog
 done
 %endif
@@ -222,119 +211,95 @@ done
 ln -s service %{buildroot}%{_sbindir}/rcauditd
 %endif
 chmod 0644 %{buildroot}%{_unitdir}/auditd.service
+chmod 0644 %{buildroot}%{_unitdir}/augenrules.service
 
 %check
 %make_build check
 
 %post -n audit
-# Save existing auditd.conf if any (from old locations)
+# Save existing audit files if any (from old locations)
 if [ -f %{_sysconfdir}/auditd.conf ]; then
    mv %{_sysconfdir}/audit/auditd.conf %{_sysconfdir}/audit/auditd.conf.new
    mv %{_sysconfdir}/auditd.conf %{_sysconfdir}/audit/auditd.conf
 fi
-%service_add_post auditd.service
-
-%post -n audit-rules
 if [ -f %{_sysconfdir}/audit.rules ]; then
-   # If /etc/audit.rules exists, move into the expected default place /etc/audit/audit.rules.
+   mv %{_sysconfdir}/audit.rules %{_sysconfdir}/audit/audit.rules
-   mv %{_sysconfdir}/audit.rules %{_sysconfdir}/%{_name}/audit.rules
+elif [ ! -f %{_sysconfdir}/audit/audit.rules ]; then
-else
+   cp %{_sysconfdir}/audit/rules.d/audit.rules %{_sysconfdir}/audit/audit.rules
-   # We only expect /etc/audit/audit.rules to exist.  If it doesn't, augenrules --load will create
-   # it with the rules in /etc/audit/rules.d.
-   #
-   # If /etc/audit/rules.d is empty, copy the default rules file (no-rules).
-   files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
-   if [ "$files" -eq 0 ] ; then
-      touch %{_sysconfdir}/%{_name}/audit.rules
-      install -m 0600 %{_datadir}/audit-rules/10-no-audit.rules %{_sysconfdir}/%{_name}/rules.d/audit.rules
-      # Make the new rules active
-   fi
-   augenrules --load
 fi
-%service_add_post audit-rules.service
+%service_add_post auditd.service
+%service_add_post augenrules.service
 
 %pre -n audit
 %service_add_pre auditd.service
-
+%service_add_pre augenrules.service
-%pre -n audit-rules
-%service_add_pre audit-rules.service
 
 %pre -n system-group-audit -f audit.pre
 
 %preun -n audit
 %service_del_preun auditd.service
-
+%service_del_preun augenrules.service
-%preun -n audit-rules
-# If uninstalling, delete the rules loaded in the kernel
-if [ $1 -eq 0 ]; then
-	auditctl -D > /dev/null 2>&1
-fi
-%service_del_preun audit-rules.service
 
 %postun -n audit
 %service_del_postun auditd.service
-
+%service_del_postun augenrules.service
-%postun -n audit-rules
-%service_del_postun audit-rules.service
 
 %files -n audit
 %license COPYING
-%doc README.md ChangeLog init.d/auditd.cron
+%doc README ChangeLog init.d/auditd.cron
+%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
 %attr(644,root,root) %{_mandir}/man8/auditd.8.gz
 %attr(644,root,root) %{_mandir}/man8/aureport.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
+%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulast.8.gz
 %attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
 %attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
+%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
 %attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
 %attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
+%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
+%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
 %if 0%{?suse_version} < 1550
+/sbin/auditctl
 /sbin/auditd
 /sbin/ausearch
+/sbin/autrace
+/sbin/augenrules
 /sbin/aureport
 %endif
+%attr(750,root,root) %{_sbindir}/auditctl
 %attr(750,root,root) %{_sbindir}/auditd
 %attr(755,root,root) %{_sbindir}/ausearch
+%attr(750,root,root) %{_sbindir}/autrace
+%attr(750,root,root) %{_sbindir}/augenrules
 %attr(750,root,root) %{_sbindir}/audisp-syslog
 %attr(755,root,root) %{_bindir}/aulast
 %attr(755,root,root) %{_bindir}/aulastlog
 %attr(755,root,root) %{_bindir}/ausyscall
 %attr(755,root,root) %{_sbindir}/aureport
 %attr(755,root,root) %{_sbindir}/audisp-af_unix
+%attr(755,root,root) %{_bindir}/auvirt
 %dir %attr(750,root,root) %{_sysconfdir}/audit
-%dir %attr(750,root,root) %{_sysconfdir}/audit/plugins.d
+%attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/af_unix.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/syslog.conf
 %ghost %{_sysconfdir}/auditd.conf
+%ghost %{_sysconfdir}/audit.rules
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/auditd.conf
+%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
+%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
 %dir %attr(750,root,audit) %{_localstatedir}/log/audit
 %ghost %config(noreplace) %attr(640,root,audit) %{_localstatedir}/log/audit/audit.log
 %dir %attr(700,root,root) %{_localstatedir}/spool/audit
 %{_unitdir}/auditd.service
+%{_unitdir}/augenrules.service
 %if 0%{?suse_version} < 1550
 %{_sbindir}/rcauditd
 %endif
-
+%{_datadir}/audit/
-%files -n audit-rules
-%dir %attr(755,root,root) %{_datadir}/audit-rules
-%attr(644,root,root) %{_datadir}/audit-rules/*
-%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
-%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
-%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
-%if 0%{?suse_version} < 1550
-/sbin/auditctl
-/sbin/augenrules
-%endif
-%attr(750,root,root) %{_sbindir}/auditctl
-%attr(750,root,root) %{_sbindir}/augenrules
-%attr(644,root,root) %{_unitdir}/audit-rules.service
-%dir %attr(750,root,root) %{_sysconfdir}/audit
-%ghost %{_sysconfdir}/audit.rules
-%dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d
-%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/rules.d/audit.rules
-%ghost %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit.rules
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audit-stop.rules
 
 %files -n system-group-audit
 %{_sysusersdir}/system-group-audit.conf
@@ -343,13 +308,12 @@ fi
 %files -n python2-audit
 %attr(755,root,root) %{python2_sitearch}/_audit.so
 %attr(755,root,root) %{python2_sitearch}/auparse.so
-%attr(644,root,root) %{python2_sitearch}/audit.py*
+%{python2_sitearch}/audit.py*
 %endif
 
 %if %{with python3}
 %files -n python3-audit
 %attr(755,root,root) %{python3_sitearch}/*
-%attr(644,root,root) %{python3_sitearch}/audit.py*
 %endif
 
 %files -n audit-audispd-plugins

audit-userspace-517-compat.patch

@@ -0,0 +1,38 @@
+From: Sergei Trofimovich <slyich@gmail.com>
+Date: Wed, 23 Mar 2022 07:27:05 +0000
+Subject: [PATCH] auditswig.i: avoid setter generation for audit_rule_data::buf
+References: https://github.com/linux-audit/audit-userspace/issues/252
+Git-commit: https://github.com/linux-audit/audit-userspace/pull/253/commits/beed138222421a2eb4212d83cb889404bd7efc49
+Git-repo: [if different from https://github.com/linux-audit/audit-userspace.git]
+Patch-mainline: submitted for review upstream
+
+As it's a flexible array generated code was never safe to use.
+With kernel's https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ed98ea2128b6fd83bce13716edf8f5fe6c47f574
+change it's a build failure now:
+
+    audit> audit_wrap.c:5010:15: error: invalid use of flexible array member
+    audit>  5010 |     arg1->buf = (char [])(char *)memcpy(malloc((size)*sizeof(char)), (const char *)(arg2), sizeof(char)*(size));
+    audit>       |               ^
+
+Let's avoid setter generation entirely.
+
+Closes: https://github.com/linux-audit/audit-userspace/issues/252
+---
+ bindings/swig/src/auditswig.i | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/bindings/swig/src/auditswig.i b/bindings/swig/src/auditswig.i
+index 21aafca31..9a2c5661d 100644
+--- a/bindings/swig/src/auditswig.i
++++ b/bindings/swig/src/auditswig.i
+@@ -39,6 +39,10 @@ signed
+ #define __attribute(X) /*nothing*/
+ typedef unsigned __u32;
+ typedef unsigned uid_t;
++/* Sidestep SWIG's limitation of handling c99 Flexible arrays by not:
++ * generating setters against them: https://github.com/swig/swig/issues/1699
++ */
++%ignore audit_rule_data::buf;
+ %include "/usr/include/linux/audit.h"
+ #define __extension__ /*nothing*/
+ %include <stdint.i>

audit.changes

@@ -1,52 +1,3 @@
--------------------------------------------------------------------
-Fri Oct  4 16:04:56 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Update audit.spec: add requirement for 'awk' package (bsc#1231236)
-
--------------------------------------------------------------------
-Tue Sep 17 18:20:58 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
-
-- Update to 4.0
-  - Drop python2 support
-  - Drop auvirt and autrace programs
-  - Drop SysVinit support
-  - Require the use of the 5.0 or later kernel headers
-  - New README.md file
-  - Rewrite legacy service functions in terms of systemctl
-  - Consolidate and update end of event detection to a common function
-  - Split off rule loading from auditd.service into audit-rules.service
-  - Refactor libaudit.h to split out logging functions and record numbers
-  - Speed up aureport --summary reports
-  - Limit libaudit python bindings to logging functions
-  - Add a metrics function for auparse
-  - Change auditctl to use pidfd_send_signal for signaling auditd
-  - Adjust watches to optimize syscalls hooked when watch file access
-  - Drop nispom rules
-  - Add intepretations for fsconfig, fsopen, fsmount, & move_mount
-  - Many code fixups (cgzones)
-  - Update syscall and interpretation tables to the 6.8 kernel
-  (from v3.1.2)
-  - When processing a run level change, make auditd exit
-  - In auditd, fix return code when rules added in immutable mode
-  - In auparse, when files are given, also consider EUID for access
-  - Auparse now interprets unnamed/anonymous sockets (Enzo Matsumiya)
-  - Disable Python bindings from setting rules due to swig bug (S. Trofimovich)
-  - Update all lookup tables for the 6.5 kernel
-  - Don't be as paranoid about auditctl -R file permissions
-  - In ausearch, correct subject/object search to be an and if both are given
-  - Adjust formats for 64 bit time_t
-  - Fix segfault in python bindings around the feed API
-  - Add feed_has_data, get_record_num, and get/goto_field_num to python bindings
-
-- Update spec:
-  * Add fix-auparse-test.patch (downstream):
-    Upstream tests uses a static value (42) for 'gdm' uid/gid (based
-    on Fedora values, apparently).  Replace these occurrences with
-    'unknown(123456)'
-  * Replace '--with-python' with '--with-python3' on %configure
-  * Add new headers 'audit_logging.h' and 'audit-records.h' for
-    audit-devel
-
 -------------------------------------------------------------------
 Mon Jul  3 08:33:52 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>
 

audit.spec

@@ -23,7 +23,7 @@
 %endif
 
 Name:           audit
-Version:        4.0
+Version:        3.1.1
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -33,13 +33,11 @@ Source0:        https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1:        baselibs.conf
 Source2:        README-BEFORE-ADDING-PATCHES
 Patch0:         change-default-log_group.patch
-Patch1:         fix-auparse-test.patch
 BuildRequires:  autoconf >= 2.12
 BuildRequires:  kernel-headers >= 2.6.30
 BuildRequires:  libtool
 BuildRequires:  pkgconfig
 BuildRequires:  tcpd-devel
-Requires:       gawk
 Requires:       libaudit1 = %{version}
 Requires:       libauparse0 = %{version}
 Provides:       bundled(libev) = 4.33
@@ -100,11 +98,12 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %ifarch arm
 	--with-arm \
 %endif
+	--enable-systemd \
 	--libexecdir=%{_libexecdir}/%{name} \
 	--with-apparmor \
 	--with-libcap-ng=no \
 	--disable-static \
-	--with-python3=no \
+	--with-python=no \
 	--disable-zos-remote
 
 %make_build -C common
@@ -179,8 +178,6 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_libdir}/libaudit.so
 %{_libdir}/libauparse.so
 %{_includedir}/libaudit.h
-%{_includedir}/audit_logging.h
-%{_includedir}/audit-records.h
 %{_includedir}/auparse.h
 %{_includedir}/auparse-defs.h
 %{_mandir}/man3/*

auditd.service-fix-plugin-termination.patch

@@ -1,14 +0,0 @@
----
- init.d/auditd.service |    1 +
- 1 file changed, 1 insertion(+)
-
---- a/init.d/auditd.service
-+++ b/init.d/auditd.service
-@@ -29,6 +29,7 @@ ExecStopPost=/sbin/auditctl -R /etc/audi
- Restart=on-failure
- # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
- RestartPreventExitStatus=2 4 6
-+KillMode=mixed
- 
- ### Security Settings ###
- MemoryDenyWriteExecute=true

create-augenrules-service.patch

@@ -0,0 +1,97 @@
+Index: audit-3.1.1/init.d/augenrules.service
+===================================================================
+--- /dev/null
++++ audit-3.1.1/init.d/augenrules.service
+@@ -0,0 +1,29 @@
++[Unit]
++Description=auditd rules generation
++After=auditd.service
++Documentation=man:augenrules(8)
++
++[Service]
++Type=oneshot
++## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
++ExecStart=/sbin/augenrules --load
++# We need RemainAfterExit=true so augenrules is called again
++# in case auditd.service is restarted.
++RemainAfterExit=true
++
++### Security Settings ###
++MemoryDenyWriteExecute=true
++LockPersonality=true
++ProtectControlGroups=true
++ProtectKernelModules=true
++ProtectHome=true
++RestrictRealtime=true
++# for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelLogs=true
++ReadWritePaths=/etc/audit
+Index: audit-3.1.1/init.d/auditd.service
+===================================================================
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
+@@ -15,15 +15,16 @@ ConditionKernelCommandLine=!audit=0
+ ConditionKernelCommandLine=!audit=off
+ 
+ Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
++Requires=augenrules.service
++# This unit clears rules on stop, so make sure that augenrules runs again
++PropagatesStopTo=augenrules.service
+ 
+ [Service]
+ Type=forking
+ PIDFile=/run/auditd.pid
+ ExecStart=/sbin/auditd
+-## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
+-## and comment/delete the next line and uncomment the auditctl line.
+-## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
+-ExecStartPost=-/sbin/augenrules --load
++## To not use augenrules: copy this file to /etc/systemd/system/auditd.service,
++## uncomment the next line, and comment the Requires=augenrules.service above.
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
+ # By default we clear the rules on exit. To disable this, comment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+@@ -47,7 +48,6 @@ ProtectClock=true
+ ProtectKernelTunables=true
+ ProtectKernelLogs=true
+ # end of automatic additions 
+-ReadWritePaths=/etc/audit
+ 
+ [Install]
+ WantedBy=multi-user.target
+Index: audit-3.1.1/init.d/Makefile.am
+===================================================================
+--- audit-3.1.1.orig/init.d/Makefile.am
++++ audit-3.1.1/init.d/Makefile.am
+@@ -26,7 +26,8 @@ EXTRA_DIST = auditd.init auditd.service
+ 	auditd.cron libaudit.conf auditd.condrestart \
+ 	auditd.reload auditd.restart auditd.resume \
+ 	auditd.rotate auditd.state auditd.stop \
+-	audit-stop.rules augenrules audit-functions
++	audit-stop.rules augenrules audit-functions \
++	augenrules.service
+ libconfig = libaudit.conf
+ if ENABLE_SYSTEMD
+ initdir = /usr/lib/systemd/system
+@@ -54,6 +55,7 @@ if ENABLE_SYSTEMD
+ 	mkdir -p ${DESTDIR}${legacydir}
+ 	mkdir -p ${DESTDIR}${libexecdir}
+ 	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/auditd.service ${DESTDIR}${initdir}
++	$(INSTALL_SCRIPT) -D -m 644 ${srcdir}/augenrules.service ${DESTDIR}${initdir}
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.rotate ${DESTDIR}${legacydir}/rotate
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.resume ${DESTDIR}${legacydir}/resume
+ 	$(INSTALL_SCRIPT) -D -m 750 ${srcdir}/auditd.reload ${DESTDIR}${legacydir}/reload
+@@ -72,6 +74,7 @@ uninstall-hook:
+ 	rm ${DESTDIR}${sysconfdir}/${libconfig}
+ if ENABLE_SYSTEMD
+ 	rm ${DESTDIR}${initdir}/auditd.service
++	rm ${DESTDIR}${initdir}/augenrules.service
+ 	rm ${DESTDIR}${legacydir}/rotate
+ 	rm ${DESTDIR}${legacydir}/resume
+ 	rm ${DESTDIR}${legacydir}/reload

enable-stop-rules.patch

@@ -11,19 +11,18 @@ Disable audit when auditd.service stops, so kauditd stops logging/running.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
----
+Index: audit-3.0.9/init.d/auditd.service
- init.d/auditd.service |    4 ++++
+===================================================================
- 1 file changed, 4 insertions(+)
+--- audit-3.0.9.orig/init.d/auditd.service
-
++++ audit-3.0.9/init.d/auditd.service
---- a/init.d/auditd.service
+@@ -25,9 +25,9 @@ ExecStart=/sbin/auditd
-+++ b/init.d/auditd.service
+ ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
+ ExecStartPost=-/sbin/augenrules --load
- Type=forking
+ #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
- PIDFile=/run/auditd.pid
+-# By default we don't clear the rules on exit. To enable this, uncomment
- ExecStart=/sbin/auditd
-+ExecStartPost=-/sbin/augenrules --load
 +# By default we clear the rules on exit. To disable this, comment
-+# the next line after copying the file to /etc/systemd/system/auditd.service
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+-#ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
 +ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
  Restart=on-failure
  # Do not restart for intentional exits. See EXIT CODES section in auditd(8).

fix-auparse-test.patch

@@ -1,223 +0,0 @@
----
- auparse/test/auparse_test.c      |    2 +-
- auparse/test/auparse_test.py     |    2 +-
- auparse/test/auparse_test.ref    |   18 +++++++++---------
- auparse/test/auparse_test.ref.py |   18 +++++++++---------
- auparse/test/test.log            |    4 ++--
- auparse/test/test2.log           |    4 ++--
- 6 files changed, 24 insertions(+), 24 deletions(-)
-
---- a/auparse/test/auparse_test.c
-+++ b/auparse/test/auparse_test.c
-@@ -162,7 +162,7 @@ void compound_search(ausearch_rule_t how
- 			exit(1);
- 		}
- 	} else {
--		if (ausearch_add_item(au, "auid", "=", "42",
-+		if (ausearch_add_item(au, "auid", "=", "123456",
- 							 AUSEARCH_RULE_CLEAR)){
- 			printf("ausearch_add_item 4 error - %s\n",
- 						strerror(errno));
---- a/auparse/test/auparse_test.py
-+++ b/auparse/test/auparse_test.py
-@@ -112,7 +112,7 @@ def compound_search(au, how):
-         au.search_add_item("pid", "=", "13015", how)
-         au.search_add_item("type", "=", "USER_START", how)
-     else:
--        au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
-+        au.search_add_item("auid", "=", "123456", auparse.AUSEARCH_RULE_CLEAR)
-         # should stop on this one
-         au.search_add_item("auid", "=", "0", how)
-         au.search_add_item("auid", "=", "500", how)
---- a/auparse/test/auparse_test.ref
-+++ b/auparse/test/auparse_test.ref
-@@ -188,7 +188,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -209,7 +209,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -389,7 +389,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -410,7 +410,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -587,7 +587,7 @@ event 11 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -608,7 +608,7 @@ event 11 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -699,7 +699,7 @@ Test 6 Done
- 
- Starting Test 7, compound search...
- Found type = USER_START
--Found auid = 42
-+Found auid = 123456
- Test 7 Done
- 
- Starting Test 8, regex search...
-@@ -874,7 +874,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -895,7 +895,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
---- a/auparse/test/auparse_test.ref.py
-+++ b/auparse/test/auparse_test.ref.py
-@@ -180,7 +180,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -201,7 +201,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -381,7 +381,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -402,7 +402,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -579,7 +579,7 @@ event 11 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -600,7 +600,7 @@ event 11 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
-@@ -691,7 +691,7 @@ Test 6 Done
- 
- Starting Test 7, compound search...
- Found type = USER_START
--Found auid = 42
-+Found auid = 123456
- Test 7 Done
- 
- Starting Test 8, regex search...
-@@ -864,7 +864,7 @@ event 4 has 3 records
-         uid=0 (root)
-         subj=system_u:system_r:init_t:s0 (system_u:system_r:init_t:s0)
-         old-auid=4294967295 (unset)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         tty=(none) ((none))
-         old-ses=4294967295 (4294967295)
-         ses=1 (1)
-@@ -885,7 +885,7 @@ event 4 has 3 records
-         items=0 (0)
-         ppid=1 (1)
-         pid=2288 (2288)
--        auid=42 (gdm)
-+        auid=123456 (unknown(123456))
-         uid=0 (root)
-         gid=0 (root)
-         euid=0 (root)
---- a/auparse/test/test2.log
-+++ b/auparse/test/test2.log
-@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:283):
- type=PATH msg=audit(1170021493.977:283): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
- type=USER_ACCT msg=audit(1170021601.340:284): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
- type=CRED_ACQ msg=audit(1170021601.342:285): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
--type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
--type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-+type=LOGIN msg=audit(1170021601.343:286): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1
-+type=SYSCALL msg=audit(1170021601.343:286): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
- type=PROCTITLE msg=audit(1170021601.343:286): proctitle="(systemd)"
- type=USER_START msg=audit(1170021601.344:287): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
- type=CRED_DISP msg=audit(1170021601.364:288): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
---- a/auparse/test/test.log
-+++ b/auparse/test/test.log
-@@ -4,8 +4,8 @@ type=CWD msg=audit(1170021493.977:293):
- type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
- type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
- type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
--type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=42 tty=(none) old-ses=4294967295 ses=1 res=1
--type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=42 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
-+type=LOGIN msg=audit(1170021601.343:296): pid=2288 uid=0 subj=system_u:system_r:init_t:s0 old-auid=4294967295 auid=123456 tty=(none) old-ses=4294967295 ses=1 res=1
-+type=SYSCALL msg=audit(1170021601.343:296): arch=c000003e syscall=1 success=yes exit=2 a0=8 a1=7fffa7aede20 a2=2 a3=0 items=0 ppid=1 pid=2288 auid=123456 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="(systemd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
- type=PROCTITLE msg=audit(1170021601.343:296): proctitle="(systemd)"
- type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
- type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

libev-werror.patch

@@ -0,0 +1,26 @@
+From: Jan Engelhardt <jengelh@inai.de>
+Date: 2021-06-02 16:18:03.256597842 +0200
+
+Cherry-pick http://cvs.schmorp.de/libev/ev_iouring.c?view=log&r1=1.25
+to fix some terrible code.
+
+[   50s] ev_iouring.c: In function 'iouring_sqe_submit':
+[   50s] ev_iouring.c:300:1: error: no return statement in function returning non-void [-Werror=return-type]
+
+---
+ src/libev/ev_iouring.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: audit-3.0.1/src/libev/ev_iouring.c
+===================================================================
+--- audit-3.0.1.orig/src/libev/ev_iouring.c
++++ audit-3.0.1/src/libev/ev_iouring.c
+@@ -287,7 +287,7 @@ iouring_sqe_get (EV_P)
+ }
+ 
+ inline_size
+-struct io_uring_sqe *
++void
+ iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
+ {
+   unsigned idx = sqe - EV_SQES;