audit package update

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>

SOURCES/audit-2.7.1-rhel7-fixup.patch

@@ -0,0 +1,21 @@
+diff -urp audit-2.7.1.orig/auparse/classify.c audit-2.7.1/auparse/classify.c
+--- audit-2.7.1.orig/auparse/normalize.c	2016-12-21 19:00:51.000000000 -0500
++++ audit-2.7.1/auparse/normalize.c	2016-12-22 12:22:21.259800153 -0500
+@@ -241,7 +241,7 @@ static void simple_file_attr(auparse_sta
+ 		switch (type)
+ 		{
+ 			case AUDIT_PATH:
+-				f = auparse_find_field(au, "nametype");
++				f = auparse_find_field(au, "objtype");
+ 				if (f && strcmp(f, "PARENT") == 0) {
+ 					if (parent == 0)
+ 					    parent = auparse_get_record_num(au);
+@@ -280,7 +280,7 @@ static void set_file_object(auparse_stat
+ 
+ 	// Now double check that we picked the right one.
+ 	do {
+-		f = auparse_find_field(au, "nametype");
++		f = auparse_find_field(au, "objtype");
+ 		if (f) {
+ 			if (strcmp(f, "PARENT"))
+ 				break;

SOURCES/audit-2.7.5-no-backlog-wait-time.patch

@@ -0,0 +1,38 @@
+diff -ur audit-2.7.5.orig/docs/auditctl.8 audit-2.7.5/docs/auditctl.8
+--- audit-2.7.5.orig/docs/auditctl.8	2017-04-10 10:22:22.000000000 -0400
++++ audit-2.7.5/docs/auditctl.8	2017-04-10 10:46:51.704436241 -0400
+@@ -10,9 +10,6 @@
+ .BI \-b\  backlog
+ Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action.
+ .TP
+-.BI \-\-backlog_wait_time \ \fIwait_time\fP
+-Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that 10 times the default value.
+-.TP
+ .B \-c
+ Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load.
+ .TP
+diff -ur audit-2.7.5.orig/docs/Makefile.in audit-2.7.5/docs/Makefile.in
+--- audit-2.7.5.orig/docs/Makefile.in	2017-04-10 10:31:52.000000000 -0400
++++ audit-2.7.5/docs/Makefile.in	2017-04-10 10:49:12.389447484 -0400
+@@ -373,7 +373,7 @@
+ ausearch_next_event.3 ausearch_set_stop.3 \
+ autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \
+ audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \
+-augenrules.8 audit_set_backlog_wait_time.3 \
++augenrules.8 \
+ zos-remote.conf.5 
+ 
+ all: all-am
+diff -ur audit-2.7.5.orig/rules/10-base-config.rules audit-2.7.5/rules/10-base-config.rules
+--- audit-2.7.5.orig/rules/10-base-config.rules	2017-04-10 10:22:22.000000000 -0400
++++ audit-2.7.5/rules/10-base-config.rules	2017-04-10 10:47:56.555441424 -0400
+@@ -5,9 +5,6 @@
+ ## Make this bigger for busy systems
+ -b 8192
+ 
+-## This determine how long to wait in burst of events
+---backlog_wait_time 0
+-
+ ## Set failure mode to syslog
+ -f 1
+ 

SOURCES/audit-2.8.2-auparse-numeric_field.patch

@@ -0,0 +1,12 @@
+diff --git a/auparse/expression.c b/auparse/expression.c
+index 17213eb..1e8876e 100644
+--- a/auparse/expression.c
++++ b/auparse/expression.c
+@@ -854,6 +854,7 @@ expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli,
+ 	       || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE);
+ 	res->op = op;
+ 	res->virtual_field = 1;
++	res->numeric_field = 1;
+ 	res->v.p.field.id = EF_TIMESTAMP_EX;
+ 	res->precomputed_value = 1;
+ 	res->v.p.value.timestamp_ex.sec = sec;

SOURCES/audit-2.8.2-fix-reset-lost-return.patch

@@ -0,0 +1,141 @@
+Subject: [PATCH 2/2] lost_reset: return value rather than sequence number when zero
+Date: Wed, 22 Nov 2017 19:00:57 -0500
+
+The kernel always returns negative values on error, so zero and anything
+positive is valid success.  Lost_reset returned a positive value at the
+time of reset, including zero that got interpreted as success and
+replaced with the packet sequence number "2".
+
+Rename audit_send() to __audit_send() and pass the sequence number back
+via a parameter rather than return value.
+
+Have a new stub audit_send() call __audit_send() and mimic the previous
+behaviour of audit_send().
+
+There are legacy functions that actually use a sequence number:
+	audit_request_rules_list_data()
+		delete_all_rules()
+	audit_request_signal_info()
+		src/auditd.c:get_reply()
+A number of others don't appear to need it, but expose it in libaudit:
+	audit_send_user_message()
+       		audit_log_user_comm_message()
+		audit_log_acct_message()
+		audit_log_user_avc_message()
+		audit_log_semanage_message()
+		audit_log_user_command()
+	audit_request_status()
+	audit_set_enabled()
+	audit_set_failure()
+	audit_set_rate_limit()
+	audit_set_backlog_limit()
+	audit_set_backlog_wait_time()
+	audit_add_rule_data()
+	audit_delete_rule_data()
+
+Passes all audit-testsuite tests.
+
+See: https://github.com/linux-audit/audit-userspace/issues/31
+
+Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
+---
+ lib/libaudit.c |  3 ++-
+ lib/netlink.c  | 28 ++++++++++++++++++++--------
+ lib/private.h  |  1 +
+ 3 files changed, 23 insertions(+), 9 deletions(-)
+
+diff --git a/lib/libaudit.c b/lib/libaudit.c
+index a9ba575..aa8258c 100644
+--- a/lib/libaudit.c
++++ b/lib/libaudit.c
+@@ -519,6 +519,7 @@ int audit_set_backlog_wait_time(int fd, uint32_t bwt)
+ int audit_reset_lost(int fd)
+ {
+ 	int rc;
++	int seq;
+ 	struct audit_status s;
+ 
+ 	if ((audit_get_features() & AUDIT_FEATURE_BITMAP_LOST_RESET) == 0)
+@@ -527,7 +528,7 @@ int audit_reset_lost(int fd)
+ 	memset(&s, 0, sizeof(s));
+ 	s.mask = AUDIT_STATUS_LOST;
+ 	s.lost = 0;
+-	rc = audit_send(fd, AUDIT_SET, &s, sizeof(s));
++	rc = __audit_send(fd, AUDIT_SET, &s, sizeof(s), &seq);
+ 	if (rc < 0)
+ 		audit_msg(audit_priority(errno),
+ 			"Error sending lost reset request (%s)", 
+diff --git a/lib/netlink.c b/lib/netlink.c
+index 6e23883..5b2028f 100644
+--- a/lib/netlink.c
++++ b/lib/netlink.c
+@@ -203,7 +203,7 @@ static int adjust_reply(struct audit_reply *rep, int len)
+  *                   error:   -errno
+  *                   short:   0
+  */
+-int audit_send(int fd, int type, const void *data, unsigned int size)
++int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq)
+ {
+ 	static int sequence = 0;
+ 	struct audit_message req;
+@@ -224,6 +224,7 @@ int audit_send(int fd, int type, const void *data, unsigned int size)
+ 
+ 	if (++sequence < 0) 
+ 		sequence = 1;
++	*seq = sequence;
+ 
+ 	memset(&req, 0, sizeof(req));
+ 	req.nlh.nlmsg_len = NLMSG_SPACE(size);
+@@ -241,18 +242,29 @@ int audit_send(int fd, int type, const void *data, unsigned int size)
+ 		retval = sendto(fd, &req, req.nlh.nlmsg_len, 0,
+ 			(struct sockaddr*)&addr, sizeof(addr));
+ 	} while (retval < 0 && errno == EINTR);
+-	if (retval == (int)req.nlh.nlmsg_len) {
+-		if ((retval = check_ack(fd)) == 0)
+-			return sequence;
+-		else
+-			return retval; 
+-	}
+-	if (retval < 0) 
++	if (retval == (int)req.nlh.nlmsg_len)
++		return check_ack(fd);
++	if (retval < 0) {
+ 		return -errno;
++	} else if (retval > 0) {
++		errno = EINVAL;
++		return -errno;
++	}
+ 
+ 	return 0;
+ }
+ 
++int audit_send(int fd, int type, const void *data, unsigned int size)
++{
++	int rc;
++	int seq;
++
++	rc = __audit_send(fd, type, data, size, &seq);
++	if (rc == 0)
++		rc = seq;
++	return rc;
++}
++
+ /*
+  * This function will take a peek into the next packet and see if there's
+  * an error. If so, the error is returned and its non-zero. Otherwise a 
+diff --git a/lib/private.h b/lib/private.h
+index dbe0f74..560740f 100644
+--- a/lib/private.h
++++ b/lib/private.h
+@@ -121,6 +121,7 @@ void audit_msg(int priority, const char *fmt, ...)
+ #endif
+ 
+ extern int audit_send(int fd, int type, const void *data, unsigned int size);
++extern int __audit_send(int fd, int type, const void *data, unsigned int size, int *seq);
+ 
+ AUDIT_HIDDEN_START
+ 
+-- 
+1.8.3.1
+
+

SOURCES/audit-2.8.2-ipv6-bind.patch

@@ -0,0 +1,76 @@
+From 659bfd369dc6810ac5349c433455c0d317482354 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 17 Oct 2017 14:31:46 -0400
+Subject: [PATCH] Fixup ipv6 server side binding
+
+---
+ src/auditd-listen.c | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+)
+
+diff --git a/src/auditd-listen.c b/src/auditd-listen.c
+index 7a5c2c6..0d1717f 100644
+--- a/src/auditd-listen.c
++++ b/src/auditd-listen.c
+@@ -914,6 +914,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
+ 	struct addrinfo hints;
+ 	char local[16];
+ 	int one = 1, rc;
++	int prefer_ipv6 = 0;
+ 
+ 	ev_periodic_init(&periodic_watcher, periodic_handler,
+ 			  0, config->tcp_client_max_idle, NULL);
+@@ -929,6 +930,7 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
+ 	memset(&hints, '\0', sizeof(hints));
+ 	hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG;
+ 	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_family = AF_UNSPEC;
+ 	snprintf(local, sizeof(local), "%ld", config->tcp_listen_port);
+ 
+ 	rc = getaddrinfo(NULL, local, &hints, &ai);
+@@ -937,9 +939,32 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
+ 		return 1;
+ 	}
+ 
++	{
++	int ipv4 = 0, ipv6 = 0;
+ 	nlsocks = 0;
+ 	runp = ai;
+ 	while (runp && nlsocks < N_SOCKS) {
++		// Let's take a pass through and see what we got.
++		if (runp->ai_family == AF_INET)
++			ipv4++;
++		else if (runp->ai_family == AF_INET6)
++			ipv6++;
++		runp = runp->ai_next;
++		nlsocks++;
++	}
++
++	if (nlsocks == 2 && ipv4 && ipv6)
++		prefer_ipv6 = 1;
++	}
++
++	nlsocks = 0;
++	runp = ai;
++	while (runp && nlsocks < N_SOCKS) {
++		// On linux, ipv6 sockets by default include ipv4 so
++		// we only need one.
++		if (runp->ai_family == AF_INET && prefer_ipv6)
++			goto next_try;
++			
+ 		listen_socket[nlsocks] = socket(runp->ai_family,
+ 				 runp->ai_socktype, runp->ai_protocol);
+ 		if (listen_socket[nlsocks] < 0) {
+@@ -950,6 +975,13 @@ int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
+ 		/* This avoids problems if auditd needs to be restarted.  */
+ 		setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR,
+ 				(char *)&one, sizeof (int));
++
++		// If we had more than 2 addresses suggested we'll
++		// separate the sockets.
++		if (!prefer_ipv6 && runp->ai_family == AF_INET6)
++			setsockopt(listen_socket[nlsocks], IPPROTO_IPV6,
++				IPV6_V6ONLY, &one, sizeof(int));
++
+ 		set_close_on_exec(listen_socket[nlsocks]);
+ 
+ 		if (bind(listen_socket[nlsocks], runp->ai_addr,

SOURCES/audit-2.8.2-style-fix.patch

@@ -0,0 +1,578 @@
+From 63151c4f0e9d1d037f80f10cb7809573a49da6c7 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 17 Oct 2017 13:33:28 -0400
+Subject: [PATCH] make style match rest of audit system
+
+---
+ src/auditd-listen.c | 176 ++++++++++++++++++++++++++--------------------------
+ 1 file changed, 88 insertions(+), 88 deletions(-)
+
+diff --git a/src/auditd-listen.c b/src/auditd-listen.c
+index b4dc097..7a5c2c6 100644
+--- a/src/auditd-listen.c
++++ b/src/auditd-listen.c
+@@ -114,11 +114,11 @@ static char *sockaddr_to_addr4(struct sockaddr_in *addr)
+ 
+ static void set_close_on_exec(int fd)
+ {
+-	int flags = fcntl (fd, F_GETFD);
++	int flags = fcntl(fd, F_GETFD);
+ 	if (flags == -1)
+ 		flags = 0;
+ 	flags |= FD_CLOEXEC;
+-	fcntl (fd, F_SETFD, flags);
++	fcntl(fd, F_SETFD, flags);
+ }
+ 
+ static void release_client(struct ev_tcp *client)
+@@ -144,11 +144,11 @@ static void release_client(struct ev_tcp *client)
+ 
+ static void close_client(struct ev_tcp *client)
+ {
+-	release_client (client);
+-	free (client);
++	release_client(client);
++	free(client);
+ }
+ 
+-static int ar_write (int sock, const void *buf, int len)
++static int ar_write(int sock, const void *buf, int len)
+ {
+ 	int rc = 0, w;
+ 	while (len > 0) {
+@@ -167,7 +167,7 @@ static int ar_write (int sock, const void *buf, int len)
+ }
+ 
+ #ifdef USE_GSSAPI
+-static int ar_read (int sock, void *buf, int len)
++static int ar_read(int sock, void *buf, int len)
+ {
+ 	int rc = 0, r;
+ 	while (len > 0) {
+@@ -192,13 +192,13 @@ static int ar_read (int sock, void *buf, int len)
+    the tokens.  The protocol we use for transferring tokens is to send
+    the length first, four bytes MSB first, then the token data.  We
+    return nonzero on error.  */
+-static int recv_token (int s, gss_buffer_t tok)
++static int recv_token(int s, gss_buffer_t tok)
+ {
+ 	int ret;
+ 	unsigned char lenbuf[4];
+ 	unsigned int len;
+ 
+-	ret = ar_read(s, (char *) lenbuf, 4);
++	ret = ar_read(s, (char *)lenbuf, 4);
+ 	if (ret < 0) {
+ 		audit_msg(LOG_ERR, "GSS-API error reading token length");
+ 		return -1;
+@@ -220,13 +220,13 @@ static int recv_token (int s, gss_buffer_t tok)
+ 	}
+ 	tok->length = len;
+ 
+-	tok->value = (char *) malloc(tok->length ? tok->length : 1);
++	tok->value = (char *)malloc(tok->length ? tok->length : 1);
+ 	if (tok->length && tok->value == NULL) {
+ 		audit_msg(LOG_ERR, "Out of memory allocating token data");
+ 		return -1;
+ 	}
+ 
+-	ret = ar_read(s, (char *) tok->value, tok->length);
++	ret = ar_read(s, (char *)tok->value, tok->length);
+ 	if (ret < 0) {
+ 		audit_msg(LOG_ERR, "GSS-API error reading token data");
+ 		free(tok->value);
+@@ -243,7 +243,7 @@ static int recv_token (int s, gss_buffer_t tok)
+ /* Same here.  */
+ int send_token(int s, gss_buffer_t tok)
+ {
+-	int     ret;
++	int ret;
+ 	unsigned char lenbuf[4];
+ 	unsigned int len;
+ 
+@@ -268,7 +268,7 @@ int send_token(int s, gss_buffer_t tok)
+ 	if (ret < 0) {
+ 		audit_msg(LOG_ERR, "GSS-API error sending token data");
+ 		return -1;
+-	} else if (ret != (int) tok->length) {
++	} else if (ret != (int)tok->length) {
+ 		audit_msg(LOG_ERR, "GSS-API error sending token data");
+ 		return -1;
+ 	}
+@@ -277,14 +277,14 @@ int send_token(int s, gss_buffer_t tok)
+ }
+ 
+ 
+-static void gss_failure_2 (const char *msg, int status, int type)
++static void gss_failure_2(const char *msg, int status, int type)
+ {
+ 	OM_uint32 message_context = 0;
+ 	OM_uint32 min_status = 0;
+ 	gss_buffer_desc status_string;
+ 
+ 	do {
+-		gss_display_status (&min_status,
++		gss_display_status(&min_status,
+ 				    status,
+ 				    type,
+ 				    GSS_C_NO_OID,
+@@ -298,11 +298,11 @@ static void gss_failure_2 (const char *msg, int status, int type)
+ 	} while (message_context != 0);
+ }
+ 
+-static void gss_failure (const char *msg, int major_status, int minor_status)
++static void gss_failure(const char *msg, int major_status, int minor_status)
+ {
+-	gss_failure_2 (msg, major_status, GSS_C_GSS_CODE);
++	gss_failure_2(msg, major_status, GSS_C_GSS_CODE);
+ 	if (minor_status)
+-		gss_failure_2 (msg, minor_status, GSS_C_MECH_CODE);
++		gss_failure_2(msg, minor_status, GSS_C_MECH_CODE);
+ }
+ 
+ #define KCHECK(x,f) if (x) { \
+@@ -323,7 +323,7 @@ static int server_acquire_creds(const char *service_name,
+ 	krb5_context kcontext = NULL;
+ 	int krberr;
+ 
+-	my_service_name = strdup (service_name);
++	my_service_name = strdup(service_name);
+ 	name_buf.value = (char *)service_name;
+ 	name_buf.length = strlen(name_buf.value) + 1;
+ 	major_status = gss_import_name(&minor_status, &name_buf,
+@@ -346,9 +346,9 @@ static int server_acquire_creds(const char *service_name,
+ 
+ 	(void) gss_release_name(&minor_status, &server_name);
+ 
+-	krberr = krb5_init_context (&kcontext);
++	krberr = krb5_init_context(&kcontext);
+ 	KCHECK (krberr, "krb5_init_context");
+-	krberr = krb5_get_default_realm (kcontext, &my_gss_realm);
++	krberr = krb5_get_default_realm(kcontext, &my_gss_realm);
+ 	KCHECK (krberr, "krb5_get_default_realm");
+ 
+ 	audit_msg(LOG_DEBUG, "GSS creds for %s acquired", service_name);
+@@ -360,7 +360,7 @@ static int server_acquire_creds(const char *service_name,
+    the case of Kerberos, this is where the key exchange happens.
+    FIXME: While everything else is strictly nonblocking, this
+    negotiation blocks.  */
+-static int negotiate_credentials (ev_tcp *io)
++static int negotiate_credentials(ev_tcp *io)
+ {
+ 	gss_buffer_desc send_tok, recv_tok;
+ 	gss_name_t client;
+@@ -440,12 +440,12 @@ static int negotiate_credentials (ev_tcp *io)
+ 
+ 	audit_msg(LOG_INFO, "GSS-API Accepted connection from: %s",
+ 		  (char *)recv_tok.value);
+-	io->remote_name = strdup (recv_tok.value);
+-	io->remote_name_len = strlen (recv_tok.value);
++	io->remote_name = strdup(recv_tok.value);
++	io->remote_name_len = strlen(recv_tok.value);
+ 	gss_release_buffer(&min_stat, &recv_tok);
+ 
+-	slashptr = strchr (io->remote_name, '/');
+-	atptr = strchr (io->remote_name, '@');
++	slashptr = strchr(io->remote_name, '/');
++	atptr = strchr(io->remote_name, '@');
+ 
+ 	if (!slashptr || !atptr) {
+ 		audit_msg(LOG_ERR, "Invalid GSS name from remote client: %s",
+@@ -454,14 +454,14 @@ static int negotiate_credentials (ev_tcp *io)
+ 	}
+ 
+ 	*slashptr = 0;
+-	if (strcmp (io->remote_name, my_service_name)) {
++	if (strcmp(io->remote_name, my_service_name)) {
+ 		audit_msg(LOG_ERR, "Unauthorized GSS client name: %s (not %s)",
+ 			  io->remote_name, my_service_name);
+ 		return -1;
+ 	}
+ 	*slashptr = '/';
+ 
+-	if (strcmp (atptr+1, my_gss_realm)) {
++	if (strcmp(atptr+1, my_gss_realm)) {
+ 		audit_msg(LOG_ERR, "Unauthorized GSS client realm: %s (not %s)",
+ 			  atptr+1, my_gss_realm);
+ 		return -1;
+@@ -473,7 +473,7 @@ static int negotiate_credentials (ev_tcp *io)
+ 
+ /* This is called from auditd-event after the message has been logged.
+    The header is already filled in.  */
+-static void client_ack (void *ack_data, const unsigned char *header,
++static void client_ack(void *ack_data, const unsigned char *header,
+ 	const char *msg)
+ {
+ 	ev_tcp *io = (ev_tcp *)ack_data;
+@@ -483,18 +483,18 @@ static void client_ack (void *ack_data, const unsigned char *header,
+ 		gss_buffer_desc utok, etok;
+ 		int rc, mlen;
+ 
+-		mlen = strlen (msg);
++		mlen = strlen(msg);
+ 		utok.length = AUDIT_RMW_HEADER_SIZE + mlen;
+-		utok.value = malloc (utok.length + 1);
++		utok.value = malloc(utok.length + 1);
+ 
+-		memcpy (utok.value, header, AUDIT_RMW_HEADER_SIZE);
+-		memcpy (utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen);
++		memcpy(utok.value, header, AUDIT_RMW_HEADER_SIZE);
++		memcpy(utok.value+AUDIT_RMW_HEADER_SIZE, msg, mlen);
+ 
+ 		/* Wrapping the message creates a token for the
+ 		   client.  Then we just have to worry about sending
+ 		   the token.  */
+ 
+-		major_status = gss_wrap (&minor_status,
++		major_status = gss_wrap(&minor_status,
+ 					 io->gss_context,
+ 					 1,
+ 					 GSS_C_QOP_DEFAULT,
+@@ -504,21 +504,21 @@ static void client_ack (void *ack_data, const unsigned char *header,
+ 		if (major_status != GSS_S_COMPLETE) {
+ 			gss_failure("encrypting message", major_status,
+ 					minor_status);
+-			free (utok.value);
++			free(utok.value);
+ 			return;
+ 		}
+ 		// FIXME: What were we going to do with rc?
+-		rc = send_token (io->io.fd, &etok);
+-		free (utok.value);
++		rc = send_token(io->io.fd, &etok);
++		free(utok.value);
+ 		(void) gss_release_buffer(&minor_status, &etok);
+ 
+ 		return;
+ 	}
+ #endif
+ 	// Send the header and a text error message if it exists
+-	ar_write (io->io.fd, header, AUDIT_RMW_HEADER_SIZE);
++	ar_write(io->io.fd, header, AUDIT_RMW_HEADER_SIZE);
+ 	if (msg[0])
+-		ar_write (io->io.fd, msg, strlen(msg));
++		ar_write(io->io.fd, msg, strlen(msg));
+ }
+ 
+ extern void distribute_event(struct auditd_event *e);
+@@ -540,7 +540,7 @@ static void client_message (struct ev_tcp *io, unsigned int length,
+ 			unsigned char ack[AUDIT_RMW_HEADER_SIZE];
+ 			AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ACK,
+ 				0, seq);
+-			client_ack (io, ack, "");
++			client_ack(io, ack, "");
+ 		} else {
+ 			struct auditd_event *e = create_event(
+ 					header+AUDIT_RMW_HEADER_SIZE,
+@@ -552,10 +552,10 @@ static void client_message (struct ev_tcp *io, unsigned int length,
+ 	}
+ }
+ 
+-static void auditd_tcp_client_handler( struct ev_loop *loop,
+-			struct ev_io *_io, int revents )
++static void auditd_tcp_client_handler(struct ev_loop *loop,
++			struct ev_io *_io, int revents)
+ {
+-	struct ev_tcp *io = (struct ev_tcp *) _io;
++	struct ev_tcp *io = (struct ev_tcp *)_io;
+ 	int i, r;
+ 	int total_this_call = 0;
+ 
+@@ -586,18 +586,18 @@ static void auditd_tcp_client_handler( struct ev_loop *loop,
+ 	   otherwise fails, the read will return -1.  */
+ 	if (r <= 0) {
+ 		if (r < 0)
+-			audit_msg (LOG_WARNING,
++			audit_msg(LOG_WARNING,
+ 				"client %s socket closed unexpectedly",
+ 				sockaddr_to_addr4(&io->addr));
+ 
+ 		/* There may have been a final message without a LF.  */
+ 		if (io->bufptr) {
+-			client_message (io, io->bufptr, io->buffer);
++			client_message(io, io->bufptr, io->buffer);
+ 
+ 		}
+ 
+-		ev_io_stop (loop, _io);
+-		close_client (io);
++		ev_io_stop(loop, _io);
++		close_client(io);
+ 		return;
+ 	}
+ 
+@@ -635,7 +635,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop,
+ 
+ 		/* Unwrapping the token gives us the original message,
+ 		   which we know is already a single record.  */
+-		major_status = gss_unwrap (&minor_status, io->gss_context,
++		major_status = gss_unwrap(&minor_status, io->gss_context,
+ 				&etok, &utok, NULL, NULL);
+ 
+ 		if (major_status != GSS_S_COMPLETE) {
+@@ -645,10 +645,10 @@ static void auditd_tcp_client_handler( struct ev_loop *loop,
+ 			/* client_message() wants to NUL terminate it,
+ 			   so copy it to a bigger buffer.  Plus, we
+ 			   want to add our own tag.  */
+-			memcpy (msgbuf, utok.value, utok.length);
++			memcpy(msgbuf, utok.value, utok.length);
+ 			while (utok.length > 0 && msgbuf[utok.length-1] == '\n')
+ 				utok.length --;
+-			snprintf (msgbuf + utok.length,
++			snprintf(msgbuf + utok.length,
+ 				MAX_AUDIT_MESSAGE_LENGTH - utok.length,
+ 				" krb5=%s", io->remote_name);
+ 			utok.length += 6 + io->remote_name_len;
+@@ -681,7 +681,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop,
+ 			return;
+ 		
+ 		/* We have an I-byte message in buffer. Send ACK */
+-		client_message (io, i, io->buffer);
++		client_message(io, i, io->buffer);
+ 
+ 	} else {
+ 		/* At this point, the buffer has IO->BUFPTR+R bytes in it.
+@@ -701,7 +701,7 @@ static void auditd_tcp_client_handler( struct ev_loop *loop,
+ 		i++;
+ 
+ 		/* We have an I-byte message in buffer. Send ACK */
+-		client_message (io, i, io->buffer);
++		client_message(io, i, io->buffer);
+ 	}
+ 
+ 	/* Now copy any remaining bytes to the beginning of the
+@@ -730,7 +730,7 @@ static int auditd_tcpd_check(int sock)
+ 
+ 	request_init(&request, RQ_DAEMON, "auditd", RQ_FILE, sock, 0);
+ 	fromhost(&request);
+-	if (! hosts_access(&request))
++	if (!hosts_access(&request))
+ 		return 1;
+ 	return 0;
+ }
+@@ -759,7 +759,7 @@ static int check_num_connections(struct sockaddr_in *aaddr)
+ }
+ 
+ static void auditd_tcp_listen_handler( struct ev_loop *loop,
+-	struct ev_io *_io, int revents )
++	struct ev_io *_io, int revents)
+ {
+ 	int one=1;
+ 	int afd;
+@@ -770,7 +770,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop,
+ 
+ 	/* Accept the connection and see where it's coming from.  */
+ 	aaddrlen = sizeof(aaddr);
+-	afd = accept (_io->fd, (struct sockaddr *)&aaddr, &aaddrlen);
++	afd = accept(_io->fd, (struct sockaddr *)&aaddr, &aaddrlen);
+ 	if (afd == -1) {
+         	audit_msg(LOG_ERR, "Unable to accept TCP connection");
+ 		return;
+@@ -793,8 +793,8 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop,
+ 
+ 	/* Verify it's coming from an authorized port.  We assume the firewall
+ 	 * will block attempts from unauthorized machines.  */
+-	if (min_port > ntohs (aaddr.sin_port) ||
+-					ntohs (aaddr.sin_port) > max_port) {
++	if (min_port > ntohs(aaddr.sin_port) ||
++					ntohs(aaddr.sin_port) > max_port) {
+         	audit_msg(LOG_ERR, "TCP connection from %s rejected",
+ 				sockaddr_to_addr4(&aaddr));
+ 		snprintf(emsg, sizeof(emsg),
+@@ -825,29 +825,29 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop,
+ 	setsockopt(afd, SOL_SOCKET, SO_REUSEADDR, (char *)&one, sizeof (int));
+ 	setsockopt(afd, SOL_SOCKET, SO_KEEPALIVE, (char *)&one, sizeof (int));
+ 	setsockopt(afd, IPPROTO_TCP, TCP_NODELAY, (char *)&one, sizeof (int));
+-	set_close_on_exec (afd);
++	set_close_on_exec(afd);
+ 
+ 	/* Make the client data structure */
+-	client = (struct ev_tcp *) malloc (sizeof (struct ev_tcp));
++	client = (struct ev_tcp *)malloc (sizeof (struct ev_tcp));
+ 	if (client == NULL) {
+         	audit_msg(LOG_CRIT, "Unable to allocate TCP client data");
+ 		snprintf(emsg, sizeof(emsg),
+ 			"op=alloc addr=%s port=%d res=no",
+ 			sockaddr_to_ipv4(&aaddr),
+-			ntohs (aaddr.sin_port));
++			ntohs(aaddr.sin_port));
+ 		send_audit_event(AUDIT_DAEMON_ACCEPT, emsg);
+ 		shutdown(afd, SHUT_RDWR);
+ 		close(afd);
+ 		return;
+ 	}
+ 
+-	memset (client, 0, sizeof (struct ev_tcp));
++	memset(client, 0, sizeof (struct ev_tcp));
+ 	client->client_active = 1;
+ 
+ 	// Was watching for EV_ERROR, but libev 3.48 took it away
+-	ev_io_init (&(client->io), auditd_tcp_client_handler, afd, EV_READ);
++	ev_io_init(&(client->io), auditd_tcp_client_handler, afd, EV_READ);
+ 
+-	memcpy (&client->addr, &aaddr, sizeof (struct sockaddr_in));
++	memcpy(&client->addr, &aaddr, sizeof (struct sockaddr_in));
+ 
+ #ifdef USE_GSSAPI
+ 	if (use_gss && negotiate_credentials (client)) {
+@@ -860,7 +860,7 @@ static void auditd_tcp_listen_handler( struct ev_loop *loop,
+ #endif
+ 
+ 	fcntl(afd, F_SETFL, O_NONBLOCK | O_NDELAY);
+-	ev_io_start (loop, &(client->io));
++	ev_io_start(loop, &(client->io));
+ 
+ 	/* Add the new connection to a linked list of active clients.  */
+ 	client->next = client_chain;
+@@ -883,7 +883,7 @@ static void auditd_set_ports(int minp, int maxp, int max_p_addr)
+ }
+ 
+ static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per,
+-			int revents )
++			int revents)
+ {
+ 	struct daemon_conf *config = (struct daemon_conf *) per->data;
+ 	struct ev_tcp *ev, *next = NULL;
+@@ -902,24 +902,24 @@ static void periodic_handler(struct ev_loop *loop, struct ev_periodic *per,
+ 		audit_msg(LOG_NOTICE,
+ 			"client %s idle too long - closing connection\n",
+ 			sockaddr_to_addr4(&(ev->addr)));
+-		ev_io_stop (loop, &ev->io);
++		ev_io_stop(loop, &ev->io);
+ 		release_client(ev);
+ 		free(ev);
+ 	}
+ }
+ 
+-int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
++int auditd_tcp_listen_init(struct ev_loop *loop, struct daemon_conf *config)
+ {
+ 	struct addrinfo *ai, *runp;
+ 	struct addrinfo hints;
+ 	char local[16];
+ 	int one = 1, rc;
+ 
+-	ev_periodic_init (&periodic_watcher, periodic_handler,
++	ev_periodic_init(&periodic_watcher, periodic_handler,
+ 			  0, config->tcp_client_max_idle, NULL);
+ 	periodic_watcher.data = config;
+ 	if (config->tcp_client_max_idle)
+-		ev_periodic_start (loop, &periodic_watcher);
++		ev_periodic_start(loop, &periodic_watcher);
+ 
+ 	/* If the port is not set, that means we aren't going to
+ 	  listen for connections.  */
+@@ -940,7 +940,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 	nlsocks = 0;
+ 	runp = ai;
+ 	while (runp && nlsocks < N_SOCKS) {
+-		listen_socket[nlsocks] = socket (runp->ai_family,
++		listen_socket[nlsocks] = socket(runp->ai_family,
+ 				 runp->ai_socktype, runp->ai_protocol);
+ 		if (listen_socket[nlsocks] < 0) {
+         		audit_msg(LOG_ERR, "Cannot create tcp listener socket");
+@@ -950,7 +950,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 		/* This avoids problems if auditd needs to be restarted.  */
+ 		setsockopt(listen_socket[nlsocks], SOL_SOCKET, SO_REUSEADDR,
+ 				(char *)&one, sizeof (int));
+-		set_close_on_exec (listen_socket[nlsocks]);
++		set_close_on_exec(listen_socket[nlsocks]);
+ 
+ 		if (bind(listen_socket[nlsocks], runp->ai_addr,
+ 						runp->ai_addrlen)) {
+@@ -977,9 +977,9 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 			 p ? p->p_name: "?");
+ 		endprotoent();
+ 
+-		ev_io_init (&tcp_listen_watcher, auditd_tcp_listen_handler,
++		ev_io_init(&tcp_listen_watcher, auditd_tcp_listen_handler,
+ 				listen_socket[nlsocks], EV_READ);
+-		ev_io_start (loop, &tcp_listen_watcher);
++		ev_io_start(loop, &tcp_listen_watcher);
+ non_fatal:
+ 		nlsocks++;
+ 		if (nlsocks == N_SOCKS)
+@@ -1014,7 +1014,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 			key_file = "/etc/audit/audit.key";
+ 		setenv ("KRB5_KTNAME", key_file, 1);
+ 
+-		if (stat (key_file, &st) == 0) {
++		if (stat(key_file, &st) == 0) {
+ 			if ((st.st_mode & 07777) != 0400) {
+ 				audit_msg (LOG_ERR,
+ 			 "%s is not mode 0400 (it's %#o) - compromised key?",
+@@ -1022,7 +1022,7 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 				return -1;
+ 			}
+ 			if (st.st_uid != 0) {
+-				audit_msg (LOG_ERR,
++				audit_msg(LOG_ERR,
+ 			 "%s is not owned by root (it's %d) - compromised key?",
+ 					   key_file, st.st_uid);
+ 				return -1;
+@@ -1036,17 +1036,16 @@ int auditd_tcp_listen_init ( struct ev_loop *loop, struct daemon_conf *config )
+ 	return 0;
+ }
+ 
+-void auditd_tcp_listen_uninit ( struct ev_loop *loop,
+-				struct daemon_conf *config )
++void auditd_tcp_listen_uninit(struct ev_loop *loop, struct daemon_conf *config)
+ {
+ #ifdef USE_GSSAPI
+ 	OM_uint32 status;
+ #endif
+ 
+-	ev_io_stop ( loop, &tcp_listen_watcher );
++	ev_io_stop(loop, &tcp_listen_watcher);
+ 	while (nlsocks >= 0) {
+ 		nlsocks--;
+-		close ( listen_socket[nlsocks] );
++		close (listen_socket[nlsocks]);
+ 	}
+ 
+ #ifdef USE_GSSAPI
+@@ -1060,29 +1059,29 @@ void auditd_tcp_listen_uninit ( struct ev_loop *loop,
+ 		unsigned char ack[AUDIT_RMW_HEADER_SIZE];
+ 
+ 		AUDIT_RMW_PACK_HEADER (ack, 0, AUDIT_RMW_TYPE_ENDING, 0, 0);
+-		client_ack (client_chain, ack, "");
+-		ev_io_stop (loop, &client_chain->io);
+-		close_client (client_chain);
++		client_ack(client_chain, ack, "");
++		ev_io_stop(loop, &client_chain->io);
++		close_client(client_chain);
+ 	}
+ 
+ 	if (config->tcp_client_max_idle)
+-		ev_periodic_stop (loop, &periodic_watcher);
++		ev_periodic_stop(loop, &periodic_watcher);
+ }
+ 
+ static void periodic_reconfigure(struct daemon_conf *config)
+ {
+-	struct ev_loop *loop = ev_default_loop (EVFLAG_AUTO);
++	struct ev_loop *loop = ev_default_loop(EVFLAG_AUTO);
+ 	if (config->tcp_client_max_idle) {
+-		ev_periodic_set (&periodic_watcher, ev_now (loop),
++		ev_periodic_set(&periodic_watcher, ev_now(loop),
+ 				 config->tcp_client_max_idle, NULL);
+-		ev_periodic_start (loop, &periodic_watcher);
++		ev_periodic_start(loop, &periodic_watcher);
+ 	} else {
+-		ev_periodic_stop (loop, &periodic_watcher);
++		ev_periodic_stop(loop, &periodic_watcher);
+ 	}
+ }
+ 
+-void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
+-				     struct daemon_conf *oconf )
++void auditd_tcp_listen_reconfigure(struct daemon_conf *nconf,
++				     struct daemon_conf *oconf)
+ {
+ 	use_libwrap = nconf->use_libwrap;
+ 
+@@ -1112,3 +1111,4 @@ void auditd_tcp_listen_reconfigure ( struct daemon_conf *nconf,
+ 	// and recredential if needed.
+ 	oconf->krb5_principal = nconf->krb5_principal;
+ }
++

SPECS/audit.spec

@@ -0,0 +1,483 @@
+%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+
+Summary: User space tools for 2.6 kernel auditing
+Name: audit
+Version: 2.8.1
+Release: 3%{?dist}
+License: GPLv2+
+Group: System Environment/Daemons
+URL: http://people.redhat.com/sgrubb/audit/
+Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
+# This patch switches collecting nametype for objtype because RHEL is different
+Patch1: audit-2.7.1-rhel7-fixup.patch
+# DO NOT REMOVE - backlog_wait_time is not in RHEL 7 kernel
+Patch2: audit-2.7.5-no-backlog-wait-time.patch
+# This patch is purely fomatting. Needed for Patch4 to apply
+Patch3: audit-2.8.2-style-fix.patch
+# This patch fixes issue reported in bz 1101605#c15
+Patch4: audit-2.8.2-ipv6-bind.patch
+# This patch corrects the return value for auditctl --reset-lost
+Patch5: audit-2.8.2-fix-reset-lost-return.patch
+# This patch makes date a numeric field so auparse_search works
+Patch6: audit-2.8.2-auparse-numeric_field.patch
+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+BuildRequires: openldap-devel
+BuildRequires: swig
+BuildRequires: python-devel
+BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel
+BuildRequires: kernel-headers >= 2.6.29
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+BuildRequires: systemd-units
+Requires(post): systemd-units systemd-sysv chkconfig coreutils
+Requires(preun): systemd-units
+Requires(postun): systemd-units coreutils
+
+%description
+The audit package contains the user space utilities for
+storing and searching the audit records generated by
+the audit subsystem in the Linux 2.6 and later kernels.
+
+%package libs
+Summary: Dynamic library for libaudit
+License: LGPLv2+
+Group: Development/Libraries
+
+%description libs
+The audit-libs package contains the dynamic libraries needed for 
+applications to use the audit framework.
+
+%package libs-devel
+Summary: Header files for libaudit
+License: LGPLv2+
+Group: Development/Libraries
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: kernel-headers >= 2.6.29
+
+%description libs-devel
+The audit-libs-devel package contains the header files needed for
+developing applications that need to use the audit framework libraries.
+
+%package libs-static
+Summary: Static version of libaudit library
+License: LGPLv2+
+Group: Development/Libraries
+Requires: kernel-headers >= 2.6.29
+
+%description libs-static
+The audit-libs-static package contains the static libraries
+needed for developing applications that need to use static audit
+framework libraries
+
+%package libs-python
+Summary: Python bindings for libaudit
+License: LGPLv2+
+Group: Development/Libraries
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+
+%description libs-python
+The audit-libs-python package contains the bindings so that libaudit
+and libauparse can be used by python.
+
+%package -n audispd-plugins
+Summary: Plugins for the audit event dispatcher
+License: GPLv2+
+Group: System Environment/Daemons
+Requires: %{name} = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
+Requires: openldap
+
+%description -n audispd-plugins
+The audispd-plugins package provides plugins for the real-time
+interface to the audit system, audispd. These plugins can do things
+like relay events to remote machines.
+
+%prep
+%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+
+%build
+%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes \
+	--with-libwrap --enable-gssapi-krb5=yes \
+	--with-libcap-ng=yes --with-arm --with-aarch64 \
+	--enable-zos-remote --without-golang --enable-systemd
+
+make CFLAGS="%{optflags}" %{?_smp_mflags}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d,etc/audit/rules.d}
+mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
+mkdir -p $RPM_BUILD_ROOT/%{_lib}
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
+mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
+mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
+make DESTDIR=$RPM_BUILD_ROOT install
+
+mkdir -p $RPM_BUILD_ROOT/%{_libdir}
+# This winds up in the wrong place when libtool is involved
+mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir}
+mv $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir}
+curdir=`pwd`
+cd $RPM_BUILD_ROOT/%{_libdir}
+LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.1.*.*\``
+ln -s ../../%{_lib}/$LIBNAME libaudit.so
+LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.0.*.*\``
+ln -s ../../%{_lib}/$LIBNAME libauparse.so
+cd $curdir
+# Remove these items so they don't get picked up.
+rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so
+rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so
+
+find $RPM_BUILD_ROOT -name '*.la' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete
+
+# Move the pkgconfig file
+mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
+
+# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
+touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
+touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
+
+%check
+%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86}
+make check
+%endif
+# Get rid of make files that they don't get packaged.
+rm -f rules/Makefile*
+
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post libs -p /sbin/ldconfig
+
+%post
+# Copy default rules into place on new installation
+files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
+if [ "$files" -eq 0 ] ; then
+  if [ -e /usr/share/doc/audit-%{version}/rules/10-base-config.rules ] ; then
+    cp /usr/share/doc/audit-%{version}/rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+  else
+    touch /etc/audit/rules.d/audit.rules
+  fi
+  chmod 0600 /etc/audit/rules.d/audit.rules
+fi
+%systemd_post auditd.service
+
+%preun
+%systemd_preun auditd.service
+
+%postun libs -p /sbin/ldconfig
+
+%postun
+if [ $1 -ge 1 ]; then
+   /sbin/service auditd condrestart > /dev/null 2>&1 || :
+fi
+
+%files libs
+%defattr(-,root,root,-)
+/%{_lib}/libaudit.so.1*
+/%{_lib}/libauparse.*
+%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
+%{_mandir}/man5/libaudit.conf.5.gz
+
+%files libs-devel
+%defattr(-,root,root,-)
+%doc contrib/skeleton.c contrib/plugin
+%{_libdir}/libaudit.so
+%{_libdir}/libauparse.so
+%{_includedir}/libaudit.h
+%{_includedir}/auparse.h
+%{_includedir}/auparse-defs.h
+%{_datadir}/aclocal/audit.m4
+%{_libdir}/pkgconfig/audit.pc
+%{_libdir}/pkgconfig/auparse.pc
+%{_mandir}/man3/*
+
+%files libs-static
+%defattr(-,root,root,-)
+%{_libdir}/libaudit.a
+%{_libdir}/libauparse.a
+
+%files libs-python
+%defattr(-,root,root,-)
+%attr(755,root,root) %{python_sitearch}/_audit.so
+%attr(755,root,root) %{python_sitearch}/auparse.so
+%{python_sitearch}/audit.py*
+
+%files
+%defattr(-,root,root,-)
+%doc README COPYING ChangeLog rules init.d/auditd.cron
+%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
+%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
+%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
+%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
+%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
+%attr(644,root,root) %{_mandir}/man8/autrace.8.gz
+%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
+%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
+%attr(644,root,root) %{_mandir}/man8/auvirt.8.gz
+%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
+%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
+%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
+%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
+%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
+%attr(755,root,root) /sbin/auditctl
+%attr(755,root,root) /sbin/auditd
+%attr(755,root,root) /sbin/ausearch
+%attr(755,root,root) /sbin/aureport
+%attr(750,root,root) /sbin/autrace
+%attr(755,root,root) /sbin/audispd
+%attr(755,root,root) /sbin/augenrules
+%attr(755,root,root) %{_bindir}/aulast
+%attr(755,root,root) %{_bindir}/aulastlog
+%attr(755,root,root) %{_bindir}/ausyscall
+%attr(755,root,root) %{_bindir}/auvirt
+%attr(644,root,root) %{_unitdir}/auditd.service
+%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
+%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
+%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
+%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
+%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
+%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
+%attr(-,root,-) %dir %{_var}/log/audit
+%attr(750,root,root) %dir /etc/audit
+%attr(750,root,root) %dir /etc/audit/rules.d
+%attr(750,root,root) %dir /etc/audisp
+%attr(750,root,root) %dir /etc/audisp/plugins.d
+%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
+%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
+%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
+
+%files -n audispd-plugins
+%defattr(-,root,root,-)
+%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
+%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/audispd-zos-remote.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/zos-remote.conf
+%attr(750,root,root) /sbin/audispd-zos-remote
+%config(noreplace) %attr(640,root,root) /etc/audisp/audisp-remote.conf
+%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/au-remote.conf
+%attr(750,root,root) /sbin/audisp-remote
+%attr(700,root,root) %dir %{_var}/spool/audit
+%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
+%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
+
+%changelog
+* Tue Dec 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-3
+resolves: #1399314 - Allow non-equality comparisons for uid and gid fields
+
+* Mon Nov 06 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-2
+resolves: #1508965 - Need to rebuild rpm to remove static relocations
+
+* Thu Oct 12 2017 Steve Grubb <sgrubb@redhat.com> 2.8.1-1
+resolves: #982154 - Can't find the "avc" event with the auvirt command
+resolves: #1101605 - Ipv6 seems no working
+resolves: #1399314 - Allow non-equality comparisons for uid and gid fields
+resolves: #1455598 - Default port is wrong in audisp-remote.conf
+resolves: #1476406 - Audit package rebase
+
+* Mon Sep 18 2017 Steve Grubb <sgrubb@redhat.com> 2.7.8-1
+resolves: #1406887 - auditd validate_email uses obsolete gethostbyname
+resolves: #1448526 - aureport shows the wrong auid "-1"
+resolves: #1475998 - python audit crash if when using AUSOURCE_FILE_POINTER
+resolves: #1482121 - python audit crash dereferencing auparse_state_t le field
+
+* Mon Jun 12 2017 Steve Grubb <sgrubb@redhat.com> 2.7.6-3
+resolves: #1460110 - aureport does not report all anomalies
+
+* Fri May 26 2017 Steve Grubb <sgrubb@redhat.com> 2.7.6-2
+resolves: #1455594 - Bad configuration keyword for audispd-remote.conf
+
+* Wed Apr 19 2017 Steve Grubb <sgrubb@redhat.com> 2.7.6-1
+resolves: #1443107 - disk full action and infinite loop in audit-remote
+
+* Mon Apr 10 2017 Steve Grubb <sgrubb@redhat.com> 2.7.5-1
+resolves: #1437187 - audit rpm postinstall script points to non-existing file
+resolves: #1437426 - Remove "--backlog_wait_time" from auditctl man page & rules
+resolves: #1437626 - PF_PACKET socket address will cause ausearch to segfault
+resolves: #1438997 - SECCOMP records have wrong syscall
+
+* Tue Mar 28 2017 Steve Grubb <sgrubb@redhat.com> 2.7.4-1
+resolves: #1367703 - auvirt wasn't supporting date keywords
+resolves: #1396792 - augenrules includes files ending in regexp "rules"
+resolves: #1406525 - ausearch with '--raw' parameter outputs garbage character
+
+* Tue Feb 28 2017 Steve Grubb <sgrubb@redhat.com> 2.7.3-1
+resolves: #1381601 - audit package update
+resolves: #1382381 - typo in package description
+
+* Fri Jan 20 2017 Steve Grubb <sgrubb@redhat.com> 2.6.5-4
+resolves: #1382397 - write_logs option is not correctly handled
+resolves: #1414812 - Setting log_format to NOLOG make auditd core dump
+
+* Wed Aug 10 2016 Steve Grubb <sgrubb@redhat.com> 2.6.5-3
+resolves: #1296204 - Rebase audit package
+
+* Wed Jan 14 2015 Steve Grubb <sgrubb@redhat.com> 2.4.1-5
+resolves: #1180675 - rules with "-F arch=ppc64le" fail to load
+
+* Tue Jan 13 2015 Steve Grubb <sgrubb@redhat.com> 2.4.1-4
+- Remove golang bindings added under the following bz
+resolves: #1115196 - Add golang bindings for libaudit
+
+* Wed Dec 17 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-2
+resolves: #1173160 - Audit package needs update for new VPN crypto events
+
+* Tue Oct 28 2014 Steve Grubb <sgrubb@redhat.com> 2.4.1-1
+resolves: #963353 - aarch64 userspace auditing needs to be written
+resolves: #1150202 - perf trace sleep 1 does not list any syscall information
+resolves: #1142989 - Update audit package to 2.4.1
+resolves: #1155221 - adjust fstatat naming to match kernel uapi
+
+* Thu Sep 18 2014 Steve Grubb <sgrubb@redhat.com> 2.4-1
+resolves: #1115196 - Add golang bindings for libaudit
+resolves: #1105150 - audispd config file parser fails on long input
+resolves: #1104973 - auparse truncating selinux context after first category
+resolves: #1088593 - auditctl man page examples use deprecated syscalls
+resolves: #1087849 - support for setting loginuid immutable
+resolves: #1073063 - AUDIT_SECCOMP events syscall field is not interpretted
+resolves: #975796  - confusing aulast records for bad logins
+
+* Tue Mar 18 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-4
+resolves: #1077249 - Audit update, various issues
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.3.3-3
+- Mass rebuild 2014-01-24
+
+* Mon Jan 20 2014 Steve Grubb <sgrubb@redhat.com> 2.3.3-2
+- New upstream bugfix/enhancement release
+resolves: #1053804 - ausearch issues found by ausearch-test
+resolves: #1030409 - ausearch help typo for "-x" option
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.3.2-4
+- Mass rebuild 2013-12-27
+
+* Thu Oct 03 2013 Steve Grubb <sgrubb@redhat.com> 2.3.2-3
+resolves: #828495 - semanage port should generate an audit event
+
+* Thu Aug 29 2013 Steve Grubb <sgrubb@redhat.com> 2.3.2-2
+resolves: #991056 - ausearch ignores USER events with -ua option
+
+* Mon Jul 29 2013 Steve Grubb <sgrubb@redhat.com> 2.3.2-1
+- New upstream bugfix/enhancement release
+resolves: #982112 Add delay between stopping and starting auditd
+
+* Wed Jul 10 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-4
+resolves: #982112 Add delay between stopping and starting auditd
+
+* Wed Jul 03 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-3
+- Remove prelude support
+
+* Fri May 31 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-2
+- Fix unknown lvalue in auditd.service (#969345)
+
+* Thu May 30 2013 Steve Grubb <sgrubb@redhat.com> 2.3.1-1
+- New upstream bugfix/enhancement release
+
+* Fri May 03 2013 Steve Grubb <sgrubb@redhat.com> 2.3-2
+- If no rules exist, copy shipped rules into place
+
+* Tue Apr 30 2013 Steve Grubb <sgrubb@redhat.com> 2.3-1
+- New upstream bugfix release
+
+* Thu Mar 21 2013 Steve Grubb <sgrubb@redhat.com> 2.2.3-2
+- Fix clone syscall interpretation
+
+* Tue Mar 19 2013 Steve Grubb <sgrubb@redhat.com> 2.2.3-1
+- New upstream bugfix release
+
+* Wed Feb 13 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.2-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 16 2013 Steve Grubb <sgrubb@redhat.com> 2.2.2-4
+- Don't make auditd.service file executable (#896113)
+
+* Fri Jan 11 2013 Steve Grubb <sgrubb@redhat.com> 2.2.2-3
+- Do not own /usr/lib64/audit
+
+* Wed Dec 12 2012 Steve Grubb <sgrubb@redhat.com> 2.2.2-2
+- New upstream release
+
+* Wed Jul 18 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Fri Mar 23 2012 Steve Grubb <sgrubb@redhat.com> 2.2.1-1
+- New upstream release
+
+* Thu Mar 1 2012 Steve Grubb <sgrubb@redhat.com> 2.2-1
+- New upstream release
+
+* Thu Jan 12 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Thu Sep 15 2011 Adam Williamson <awilliam@redhat.com> 2.1.3-4
+- add in some systemd scriptlets that were missed, including one which
+  will cause auditd to be enabled on upgrade from pre-systemd builds
+
+* Wed Sep 14 2011 Steve Grubb <sgrubb@redhat.com> 2.1.3-3
+- Enable by default (#737060)
+
+* Tue Aug 30 2011 Steve Grubb <sgrubb@redhat.com> 2.1.3-2
+- Correct misplaced ifnarch (#734359)
+
+* Mon Aug 15 2011 Steve Grubb <sgrubb@redhat.com> 2.1.3-1
+- New upstream release
+
+* Tue Jul 26 2011 Jóhann B. Guðmundsson <johannbg@gmail.com> - 2.1.2-2
+- Introduce systemd unit file, drop SysV support
+
+* Sat Jun 11 2011 Steve Grubb <sgrubb@redhat.com> 2.1.2-1
+- New upstream release
+
+* Wed Apr 20 2011 Steve Grubb <sgrubb@redhat.com> 2.1.1-1
+- New upstream release
+
+* Tue Mar 29 2011 Steve Grubb <sgrubb@redhat.com> 2.1-1
+- New upstream release
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Feb 04 2011 Steve Grubb <sgrubb@redhat.com> 2.0.6-1
+- New upstream release
+
+* Thu Jan 20 2011 Karsten Hopp <karsten@redhat.com> 2.0.5-2
+- bump and rebuild as 2.0.5-1 was erroneously linked with python-2.6 on ppc
+
+* Tue Nov 02 2010 Steve Grubb <sgrubb@redhat.com> 2.0.5-1
+- New upstream release
+
+* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Tue Feb 16 2010 Adam Jackson <ajax@redhat.com> 2.0.4-3
+- audit-2.0.4-add-needed.patch: Fix FTBFS for --no-add-needed
+
+* Fri Jan 29 2010 Steve Grubb <sgrubb@redhat.com> 2.0.4-2
+- Split out static libs (#556039)
+
+* Tue Dec 08 2009 Steve Grubb <sgrubb@redhat.com> 2.0.4-1
+- New upstream release
+
+* Sat Oct 17 2009 Steve Grubb <sgrubb@redhat.com> 2.0.3-1
+- New upstream release
+
+* Fri Oct 16 2009 Steve Grubb <sgrubb@redhat.com> 2.0.2-1
+- New upstream release
+
+* Mon Sep 28 2009 Steve Grubb <sgrubb@redhat.com> 2.0.1-1
+- New upstream release
+
+* Fri Aug 21 2009 Steve Grubb <sgrubb@redhat.com> 2.0-3
+- New upstream release