specs/a/audit/audit-vl.spec

%bcond_with systemd

%define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
%define _unpackaged_files_terminate_build 1

Summary: User space tools for kernel auditing
Name: audit
Version: 4.0.2
Release: 1%{?_dist_release}%{?with_systemd:.systemd}
License: GPLv2+
Group: system,admin-tools
Distribution: Vine Linux
Vendor: Project Vine

URL: https://people.redhat.com/sgrubb/audit/
Source0: https://github.com/linux-audit/audit-userspace/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
Source2: auditd.init
Source3: auditd.sysconfig

BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: gettext intltool libtool swig
BuildRequires: python-devel python-rpm-macros
BuildRequires: python3-devel python3-rpm-macros
BuildRequires: openldap-devel
BuildRequires: krb5-devel
BuildRequires: kernel-headers >= 2.6.18
BuildRequires: libcap-ng-devel
BuildRequires: automake >= 1.9
BuildRequires: autoconf >= 2.59
%if %{with systemd}
%{?systemd_requires}
%else
Requires(post): /sbin/chkconfig
Requires(preun): /sbin/chkconfig
Requires(preun): /sbin/service
Requires(postun): /sbin/service
%endif
Requires: %{name}-libs = %{version}-%{release}
Requires: %{name}-rules = %{version}-%{release}
Requires(pre): coreutils

%description
The audit package contains the user space utilities for
storing and searching the audit records generate by
the audit subsystem in the Linux kernel.


%package libs
Summary: Dynamic library for libaudit
License: LGPLv2+
Group: system

%description libs
The audit-libs package contains the dynamic libraries needed for 
applications to use the audit framework.


%package libs-devel
Summary: Header files and static library for libaudit
License: LGPLv2+
Group: programming
Requires: %{name}-libs = %{version}-%{release}
Requires: kernel-headers >= 2.6.18

%description libs-devel
The audit-libs-devel package contains the static libraries and header 
files needed for developing applications that need to use the audit 
framework libraries.


%package libs-python3
Summary: Python3 bindings for libaudit
License: LGPLv2+
Group: programming
Provides: python-audit = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}

%description libs-python3
The audit-libs-python3 package contains the bindings so that libaudit
and libauparse can be used by python3.


%package -n audispd-plugins
Summary: Plugins for the audit event dispatcher
Group: system
License: GPLv2+
Provides: python3-audit = %{version}-%{release}
Requires: %{name} = %{version}-%{release}
Requires: %{name}-libs = %{version}-%{release}

%description -n audispd-plugins
The audispd-plugins package provides plugins for the real-time
interface to the audit system, audispd. These plugins can do things
like relay events to remote machines or analyze events for suspicious
behavior.


%package -n audispd-plugins-zos
Summary: z/OS plugin for the audit event dispatcher
Group: system
License: GPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: openldap

%description -n audispd-plugins-zos
The audispd-plugins-zos package provides a plugin that will forward all
incoming audit events, as they happen, to a configured z/OS SMF (Service
Management Facility) database, through an IBM Tivoli Directory Server
(ITDS) set for Remote Audit service.

%package rules
Summary: audit rules and utilities
License: GPLv2+
Recommends: %{name} = %{version}-%{release}

%description rules
The audit rules package contains the rules and utilities to load audit rules.


%package -n compat32-%{name}-libs
Summary: Dynamic library for libaudit
License: LGPLv2+
Group: system,legacy

%description -n compat32-%{name}-libs
The audit-libs package contains the dynamic libraries needed for 
applications to use the audit framework.


%debug_package


%prep
%setup -q -n audit-userspace-%{version}
cp %{SOURCE1} .

autoreconf -vif

# Remove the ids code, its not ready
sed -i 's/ ids / /' audisp/plugins/Makefile.am
sed -i 's/ ids / /' audisp/plugins/Makefile.in


%build
%configure --sbindir=/sbin --libdir=/%{_lib} \
    --with-python=yes --with-python3=yes \
    --with-libcap-ng=yes --enable-gssapi-krb5=yes \
    --enable-zos-remote \
    --enable-experimental \
    --with-io_uring \
%if %{with systemd}
    --enable-systemd
%else
    %{nil}
%endif
make CFLAGS="%{optflags}" %{?_smp_mflags}


%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/{sbin,etc/{sysconfig,audit/plugins.d,rc.d/init.d,audit/rules.d}}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
make DESTDIR=$RPM_BUILD_ROOT install

mkdir -p $RPM_BUILD_ROOT/%{_libdir}
# This winds up in the wrong place when libtool is involved
mv $RPM_BUILD_ROOT/%{_lib}/libaudit.a $RPM_BUILD_ROOT%{_libdir}
mv $RPM_BUILD_ROOT/%{_lib}/libauparse.a $RPM_BUILD_ROOT%{_libdir}
curdir=`pwd`
cd $RPM_BUILD_ROOT/%{_libdir}
LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libaudit.so.*.*.*\``
ln -s ../../%{_lib}/$LIBNAME libaudit.so
LIBNAME=`basename \`ls $RPM_BUILD_ROOT/%{_lib}/libauparse.so.*.*.*\``
ln -s ../../%{_lib}/$LIBNAME libauparse.so
cd $curdir
# Remove these items so they don't get picked up.
rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so
rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so

find $RPM_BUILD_ROOT -name '*.la' -delete

# Move the pkgconfig file
mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}

# On platforms with 32 & 64 bit libs, we need to coordinate the timestamp
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz

%if %{with systemd}
rm -rf %{buildroot}%{_libexecdir}/initscripts
rm -f %{buildroot}%{_libexecdir}/audit-functions
%else
mkdir -p %{buildroot}%{_initdir}
install -m755 %{SOURCE2} %{buildroot}%{_initdir}/auditd
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/auditd
rm -rf %{buildroot}/usr/lib/systemd
rm -rf %{buildroot}%{_libexecdir}/initscripts
%endif


%check
#make check
# Get rid of make files so that they don't get packaged.
#rm -f rules/Makefile*


%clean
rm -rf $RPM_BUILD_ROOT
rm -rf zos-remote-policy


%post
# This is to migrate users from audit-1.0.x installations
if [ -f /etc/auditd.conf ]; then
   mv /etc/auditd.conf /etc/audit/auditd.conf
fi
if [ -f /etc/audit.rules ]; then
   mv /etc/audit.rules /etc/audit/audit.rules
fi
# This is to enable the dispatcher option which was commented out
if [ -f /etc/audit/auditd.conf ]; then
   grep '^dispatcher' /etc/audit/auditd.conf >/dev/null
   if [ $? -eq 1 ] ; then
      tmp=`mktemp /etc/audit/auditd-post.XXXXXX`
      if [ -n $tmp ]; then
         sed 's|^#dispatcher|dispatcher|g' /etc/audit/auditd.conf > $tmp && \
         cat $tmp > /etc/audit/auditd.conf
         rm -f $tmp
      fi
   fi
fi
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
# FESCO asked for audit to be off by default. #1117953
	if [ -e %{_datadir}/%{name}/sample-rules/10-no-audit.rules ] ; then
		cp %{_datadir}/%{name}/sample-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
	else
		touch /etc/audit/rules.d/audit.rules
	fi
	chmod 0600 /etc/audit/rules.d/audit.rules
fi
%if %{with systemd}
%systemd_post auditd.service
%else
/sbin/chkconfig --add auditd
%endif

%post rules
%systemd_post audit-rules.service
# Copy default rules into place on new installation
files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
if [ "$files" -eq 0 ] ; then
    echo "No rules detected, adding default"
    # FESCO asked for audit to be off by default. #1117953
    if [ -e %{_datadir}/%{name}-rules/10-no-audit.rules ] ; then
        install -m 0600 -o 0 -g 0 -p %{_datadir}/%{name}-rules/10-no-audit.rules /etc/audit/rules.d/audit.rules
    else
        install -m 0600 -o 0 -g 0 /dev/null /etc/audit/rules.d/audit.rules
    fi
    # Only load the new rules if not running during an rpm-ostree compose
    if [ ! -f /run/ostree-booted ] ; then
        # Make the new rules active
        augenrules --load || true
    fi
fi

%preun
%if %{with systemd}
%systemd_preun auditd.service
%else
if [ $1 -eq 0 -o -x /bin/systemctl ]; then
   /sbin/service auditd stop > /dev/null 2>&1
   /sbin/chkconfig --del auditd
fi
%endif

%if %{with systemd}
%preun rules
%systemd_preun audit-rules.service
# If uninstalling, delete the rules loaded in the kernel
if [ $1 -eq 0 ] ; then
    auditctl -D > /dev/null 2>&1 || true
fi
%endif

%postun
%if %{with systemd}
%systemd_postun_with_restart auditd.service
%else
if [ $1 -ge 1 ]; then
   /sbin/service auditd condrestart > /dev/null 2>&1 || :
fi
%endif


%files libs
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license lgpl-2.1.txt
/%{_lib}/libaudit.*
/%{_lib}/libauparse.*
%config(noreplace) %attr(640,root,root) /etc/libaudit.conf
%{_mandir}/man5/libaudit.conf.5.gz

%files libs-devel
%defattr(-,root,root)
%{!?_licensedir:%global license %%doc}
%license COPYING.LIB
%doc contrib/skeleton.c contrib/plugin
%{_libdir}/libaudit.a
%{_libdir}/libauparse.a
%{_libdir}/libaudit.so
%{_libdir}/libauparse.so
%{_includedir}/libaudit.h
%{_includedir}/audit_logging.h
%{_includedir}/audit-records.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*

%files libs-python3
%defattr(-,root,root,-)
%attr(755,root,root) %{python3_sitearch}/*

%files
%defattr(-,root,root,-)
%doc README.md ChangeLog init.d/auditd.cron
%{!?_licensedir:%global license %%doc}
%license COPYING
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
%attr(644,root,root) %{_mandir}/man8/aureport.8.gz
%attr(644,root,root) %{_mandir}/man8/ausearch.8.gz
%attr(644,root,root) %{_mandir}/man8/aulast.8.gz
%attr(644,root,root) %{_mandir}/man8/aulastlog.8.gz
%attr(644,root,root) %{_mandir}/man8/ausyscall.8.gz
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
%attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
%attr(750,root,root) /sbin/auditd
%attr(755,root,root) /sbin/ausearch
%attr(755,root,root) /sbin/aureport
%attr(750,root,root) %{_bindir}/aulastlog
%attr(750,root,root) %{_bindir}/aulast
%attr(755,root,root) %{_bindir}/ausyscall
%attr(750,root,root) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%attr(750,root,root) %dir /etc/audit/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%if %{with systemd}
%attr(644,root,root) %{_unitdir}/auditd.service
%else
%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd
%attr(755,root,root) /etc/rc.d/init.d/auditd
%endif

%files rules
%attr(755,root,root) %dir %{_datadir}/%{name}-rules
%attr(644,root,root) %{_datadir}/%{name}-rules/*
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/augenrules.8.gz
%attr(644,root,root) %{_mandir}/man7/audit.rules.7.gz
%attr(750,root,root) /sbin/auditctl
%attr(755,root,root) /sbin/augenrules
%if %{with systemd}
%attr(644,root,root) %{_unitdir}/audit-rules.service
%endif
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules

%files -n audispd-plugins
%defattr(-,root,root,-)
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/syslog.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/au-statsd.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) /etc/audit/audisp-filter.conf
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/filter.conf
%attr(750,root,root) /sbin/audisp-remote
%attr(750,root,root) /sbin/audisp-syslog
%attr(750,root,root) /sbin/audisp-af_unix
%attr(750,root,root) /sbin/audisp-statsd
%attr(750,root,root) /sbin/audisp-filter
%attr(700,root,root) %dir %{_var}/spool/audit
%attr(644,root,root) %{_mandir}/man5/audisp-remote.conf.5.gz
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-af_unix.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-statsd.8.gz
%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz

%files -n audispd-plugins-zos
%attr(644,root,root) %{_mandir}/man8/audispd-zos-remote.8.gz
%attr(644,root,root) %{_mandir}/man5/zos-remote.conf.5.gz
%config(noreplace) %attr(640,root,root) /etc/audit/plugins.d/audispd-zos-remote.conf
%config(noreplace) %attr(640,root,root) /etc/audit/zos-remote.conf
%attr(750,root,root) /sbin/audispd-zos-remote

%if %{build_compat32}
%files -n compat32-%{name}-libs
%{!?_licensedir:%global license %%doc}
%license COPYING.LIB
%defattr(-,root,root)
%attr(755,root,root) /%{_lib}/libaudit.*
%attr(755,root,root) /%{_lib}/libauparse.*
%endif


%changelog
* Fri Aug 09 2024 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 4.0.2-1
- new upstream release.

* Thu Apr 04 2024 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 4.0.1-1
- new upstream release.

* Tue Aug 08 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.2-1
- new upstream release.

* Wed May 03 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.1-2
- imported Patch2 from rawhide.

* Sat Apr 29 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1.1-1
- new upstream release.
- imported Patch1 from rawhide.

* Fri Feb 10 2023 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.1-1
- new upstream release.

* Tue Aug 30 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.9-1
- new upstream release.

* Wed Mar 30 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.8-1
- new upstream release.

* Mon Jan 24 2022 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.7-1
- new upstream release.

* Sat Oct 02 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.6-1
- new upstream release.

* Wed Sep 01 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.5-1
- new upstream release.
- dropped Patch1.
- dropped ldconfig scriptlets.

* Fri Feb 19 2021 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.0.1-1
- new upstream release.
- dropped Patch1.
- imported Patch1 from rawhide.

* Sun Aug 11 2019 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2.8.5-1
- new upstream release.
- imported Patch1 from rawhide.

* Sat Sep 09 2017 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 2.7.7-1
- new upstream release.
- dropped all patches.
- dropped system-config-audit.
- added python3 bindings.

* Sun Apr 05 2015 Yoji TOYODA <bsyamato@sea.plala.or.jp> 1.7.18-4
- fix sca_release

* Sun Apr 05 2015 Yoji TOYODA <bsyamato@sea.plala.or.jp> 1.7.18-3
- create compat32-audit-libs subpackage

* Wed Feb 15 2012 Yoji TOYODA <bsyamato@sea.plala.or.jp> 1.7.18-2
- rebuild with python-2.7.2
- add Patch12 (audit-1.7.18-libaudit.patch)

* Sun Apr 03 2011 Daisuke SUZUKI <daisuke@linux.or.jp> 1.7.18-1
- new upstream release
- rebuild with krb5-1.8.2

* Fri Feb 12 2010 MATSUBAYASHI Kohji <shaolin@vinelinux.org> - 1.7.6-6
- forgot to increment sca_release macro (why on earth is sca_release
  individually defined from main package's release number anyway?)

* Fri Feb 12 2010 MATSUBAYASHI Kohji <shaolin@vinelinux.org> - 1.7.6-5
- rebuilt with gcc-4.4.3-3 on ppc

* Fri Feb  5 2010 MATSUBAYASHI Kohji <shaolin@vinelinux.org> - 1.7.6-4
- rebuilt with rpm-4.8.0-3 (on ppc)

* Tue Feb 02 2010 Shu KONNO <owa@bg.wakwak.com> 1.7.6-3
- rebuild with python-2.6

* Sat Apr 04 2009 Daisuke SUZUKI <daisuke@linux.or.jp> 1.7.6-2
- rebuild with openldap-2.4.11

* Mon Sep 15 2008 Daisuke SUZUKI <daisuke@linux.or.jp> 1.7.6-1
- initial build for Vine Linux
- disable krb5, prelude and selinux
- add ja.po (XXX: minimal)

* Thu Sep 11 2008 Steve Grubb <sgrubb@redhat.com> 1.7.6-1
- Add subject to audit daemon events (Chu Li)
- Add tcp_wrappers support for auditd
- Updated syscall tables for 2.6.27 kernel
- Audit connect/disconnect of remote clients
- Add GSS/Kerberos encryption to the remote protocol (DJ Delorie)

* Mon Aug 25 2008 Steve Grubb <sgrubb@redhat.com> 1.7.5-1
- Update system-config-audit to 0.4.8
- Whole lot of bug fixes - see ChangeLog for details
- Reimplement auditd main loop using libev
- Add TCP listener to auditd to receive remote events
- Fix scheduler problem (#457061)

* Thu Jul 03 2008 Steve Grubb <sgrubb@redhat.com> 1.7.4-2
- Move ausearch-expression to main package (#453437)

* Mon May 19 2008 Steve Grubb <sgrubb@redhat.com> 1.7.4-1
- Fix interpreting of keys in syscall records
- Don't error on name=(null) PATH records in ausearch/report
- Add key report to aureport
- Update system-config-audit to 0.4.7 (Miloslav Trmac)
- Add support for the filetype field option in auditctl new to 2.6.26 kernels

* Fri May 09 2008 Steve Grubb <sgrubb@redhat.com> 1.7.3-1
- Fix output of keys in ausearch interpretted mode
- Fix ausearch/report --start now to not be reset to midnight
- audispd now has a priority boost config option
- Look for laddr in avcs reported via prelude
- Detect page 0 mmaps and alert via prelude

* Fri Apr 18 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-6
- Fix overflow in audit_log_user_command, better (#438840)
- ausearch was not matching path in avc records
- audisp-prelude attempt to reposition index after examining each type
- correct building of mls policy
- Fix auparse iterating in auparse_find_field and next_field
- Don't alert on USER_AVC's - they are not quite right

* Tue Apr 08 2008 Steve Grubb <sgrubb@redhat.com> 1.7.1-1
- Fix buffer overflow in audit_log_user_command, again (#438840)
- Fix memory leak in EOE code in auditd (#440075)
- In auditctl, don't use new operators in legacy rule format
- Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac)

* Fri Apr 04 2008 Steve Grubb <sgrubb@redhat.com> 1.7-3
- Fix memleak in auditd eoe code

* Tue Apr 01 2008 Steve Grubb <sgrubb@redhat.com> 1.7-2
- Remove LSB headers from init scripts
- Fix buffer overflow in audit_log_user_command again

* Sun Mar 30 2008 Steve Grubb <sgrubb@redhat.com> 1.7-1
- Handle user space avcs in prelude plugin
- Fix watched account login detection for some failed login attempts
- Couple fixups in audit logging functions (Miloslav Trmac)
- Add support in auditctl for virtual keys
- auparse_find_field_next was not iterating correctly, fixed it
- Add idmef alerts for access or execution of watched file
- Fix buffer overflow in audit_log_user_command
- Add basic remote logging plugin - only sends & no flow control
- Update ausearch with interpret fixes from auparse

* Sun Mar 09 2008 Steve Grubb <sgrubb@redhat.com> 1.6.9-1
- Apply hidden attribute cleanup patch (Miloslav Trmac)
- Apply auparse expression interface patch (Miloslav Trmac)
- Fix potential memleak in audit event dispatcher
- Update system-config-audit to version 0.4.6 (Miloslav Trmac)
- audisp-prelude alerts now controlled by config file
- Updated syscall table for 2.6.25 kernel
- Apply patch correcting acct field being misencoded (Miloslav Trmac)
- Added watched account login detection for prelude plugin

* Thu Feb 14 2008 Steve Grubb <sgrubb@redhat.com> 1.6.8-1
- Update for gcc 4.3
- Cleanup descriptors in audispd before running plugin
- Fix 'recent' keyword for aureport/search
- Fix SE Linux policy for zos_remote plugin
- Add event type for group password authentication attempts
- Couple of updates to the translation tables
- Add detection of failed group authentication to audisp-prelude

* Thu Jan 31 2008 Steve Grubb <sgrubb@redhat.com> 1.6.7-2
- In ausearch/report, prefer -if to stdin
- In ausearch/report, add new command line option --input-logs (#428860)
- Updated audisp-prelude based on feedback from prelude-devel
- Added prelude alert for promiscuous socket being opened
- Added prelude alert for SE Linux policy enforcement changes
- Added prelude alerts for Forbidden Login Locations and Time
- Applied patch to auparse fixing error handling of searching by
  interpreted value (Miloslav Trmac)

* Sat Jan 19 2008 Steve Grubb <sgrubb@redhat.com> 1.6.6-1
- Add prelude IDS plugin for IDMEF alerts
- Add --user option to aulastlog command
- Use desktop-file-install for system-config-audit
- Avoid touching auditd.conf most of the time (#408501)

* Fri Jan 11 2008 Steve Grubb <sgrubb@redhat.com> 1.6.5-3
- Updates for spec file review
- Adjust permission on selinux policy file

* Mon Jan 07 2008 Steve Grubb <sgrubb@redhat.com> 1.6.5-1
- Fix config parser to allow either 0640 or 0600 for audit logs (#427062)
- Check for audit log being writable by owner in auditd
- If auditd logging was suspended, it can be resumed with SIGUSR2 (#251639)
- Updated CAPP, LSPP, and NISPOM rules for new capabilities
- Added aulastlog utility

* Sun Dec 30 2007 Steve Grubb <sgrubb@redhat.com> 1.6.4-3
- Allow 0600 file perms for audit logs

* Sat Dec 29 2007 Steve Grubb <sgrubb@redhat.com> 1.6.4-1
- fchmod of log file was on wrong variable (#426934)
- Allow use of errno strings for exit codes in audit rules

* Sat Dec 29 2007 Miloslav Trmač <mitr@redhat.com> - 1.6.3-2
- Don't fchmod() /dev/null to mode 0400 (#426934)

* Thu Dec 27 2007 Steve Grubb <sgrubb@redhat.com> 1.6.3-1
- Add kernel release string to DEAMON_START events
- Fix keep_logs when num_logs option disabled (#325561)
- Fix auparse to handle node fields for syscall records
- Update system-config-audit to version 0.4.5 (Miloslav Trmac)
- Add keyword week-ago to aureport & ausearch start/end times
- Fix audit log permissions on rotate. If group is root 0400, otherwise 0440
- Add RACF zos remote audispd plugin (Klaus Kiwi)
- Add event queue overflow action to audispd

* Mon Oct 1 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-2
- Don't retry if the rt queue is full.

* Tue Sep 25 2007 Steve Grubb <sgrubb@redhat.com> 1.6.2-1
- Add support for searching by posix regular expressions in auparse
- Route DEAMON events into rt interface
- If event pipe is full, try again after doing local logging
- Optionally add node/machine name to records in audit daemon
- Update ausearch/aureport to specify nodes to search on
- Fix segfault interpretting saddr fields in avcs

* Thu Sep 6 2007 Steve Grubb <sgrubb@redhat.com> 1.6.1-2
- Fix uninitialized variable in auparse (John Dennis)

* Sun Sep 2 2007 Steve Grubb <sgrubb@redhat.com> 1.6.1-1
- External plugin support in place
- Fix reference counting in auparse python bindings (#263961)
- Moved default af_unix plugin socket to /var/run/audispd_events

* Wed Aug 29 2007 Steve Grubb <sgrubb@redhat.com> 1.6-3
- Add newline to audispd string formatted events

* Tue Aug 28 2007 Steve Grubb <sgrubb@redhat.com> 1.6-2
- spec file cleanups
- Update to s-c-audit 0.4.3

* Mon Aug 27 2007 Steve Grubb <sgrubb@redhat.com> 1.6-1
- Update Licence tags
- Adding perm field should not set syscall added flag in auditctl
- Fix segfault when aureport -if option is used
- Fix auditctl to better check keys on rule lines
- Add support for audit by TTY and other new event types
- Auditd config option for group permission of audit logs
- Swig messed up a variable in ppc's python bindings causing crashes. (#251327)
- New audit event dispatcher
- Update syscall tables for 2.6.23 kernel

* Wed Jul 25 2007 Steve Grubb <sgrubb@redhat.com> 1.5.6-1
- Fix potential buffer overflow in print clone flags of auparse
- Fix python traceback parsing watches without perm statement (Miloslav Trmac)
- Update auditctl to handle legacy kernels when putting a watch on a dir
- Fix acct interpretation in auparse

* Tue Jul 17 2007 Miloslav Trmač <mitr@redhat.com> - 1.5.5-5
- Fix a double free when auditd receives SIGHUP
- Move the system-config-audit menu entry to the Administration menu

* Tue Jul 10 2007 Steve Grubb <sgrubb@redhat.com> 1.5.5-1
- Add system-config-audit (Miloslav Trmac)
- Correct bug in audit_make_equivalent function (Al Viro)

* Tue Jun 26 2007 Steve Grubb <sgrubb@redhat.com> 1.5.4-1
- Add feed interface to auparse library (John Dennis)
- Apply patch to libauparse for unresolved symbols (#241178)
- Apply patch to add line numbers for file events in libauparse (John Dennis)
- Change seresults to seresult in libauparse (John Dennis)
- Add unit32_t definition to swig (#244210)
- Add support for directory auditing
- Update acct field to be escaped

* Tue May 01 2007 Steve Grubb <sgrubb@redhat.com> 1.5.3-1
- Change buffer size to prevent truncation of DAEMON events with large labels
- Fix memory leaks in auparse (John Dennis)
- Update syscall tables for 2.6.21 kernel
- Update capp & lspp rules
- New python bindings for libauparse (John Dennis)

* Wed Apr 04 2007 Steve Grubb <sgrubb@redhat.com> 1.5.2-1
- New event dispatcher (James Antill)
- Apply patches fixing man pages and Makefile.am (Philipp Hahn)
- Apply patch correcting python libs permissions (Philipp Hahn)
- Fix auditd segfault on reload
- Fix bug in auparse library for file pointers and descriptors
- Extract subject information out of daemon events for ausearch

* Thu Mar 29 2007 Steve Grubb <sgrubb@redhat.com> 1.5.1-2
- Remove requires kernel-headers for python-libs
- Apply patch to prevent segfaults on auditd reload

* Tue Mar 20 2007 Steve Grubb <sgrubb@redhat.com> 1.5.1-1
- Updated autrace to monitor *at syscalls
- Add support in libaudit for AUDIT_BIT_TEST(^) and AUDIT_MASK_TEST (&)
- Finish reworking auditd config parser
- In auparse, interpret open, fcntl, and clone flags
- In auparse, when interpreting execve record types, run args through unencode
- Add support for OBJ_PID message type
- Event dispatcher updates

* Fri Mar 2 2007 Steve Grubb <sgrubb@redhat.com> 1.5-2
- rebuild

* Fri Mar 2 2007 Steve Grubb <sgrubb@redhat.com> 1.5-1
- NEW audit dispatcher program & plugin framework
- Correct hidden variables in libauparse
- Added NISPOM sample rules
- Verify accessibility of files passed in auparse_init
- Fix bug in parser library interpreting socketcalls
- Add support for stdio FILE pointer in auparse_init
- Adjust init script to allow anyone to status auditd (#230626)

* Tue Feb 20 2007 Steve Grubb <sgrubb@redhat.com> 1.4.2-1
- Add man pages
- Reduce text relocations in parser library
- Add -n option to auditd for no fork
- Add exec option to space_left, admin_space_left, disk_full,
  and disk_error - eg EXEC /usr/local/script

* Fri Feb 16 2007 Steve Grubb <sgrubb@redhat.com> 1.4.1-1
- updated audit_rule_fieldpair_data to handle perm correctly (#226780)
- Finished search options for audit parsing library
- Fix ausearch -se to work correctly
- Fix auditd init script for /usr on netdev (#228528)
- Parse avc seperms better when there are more than one

* Sun Feb 04 2007 Steve Grubb <sgrubb@redhat.com> 1.4-1
- New report about authentication attempts
- Updates for python 2.5
- update autrace to have resource usage mode
- update auditctl to support immutable config
- added audit_log_user_command function to libaudit api
- interpret capabilities
- added audit event parsing library
- updates for 2.6.20 kernel

* Sun Dec 10 2006 Steve Grubb <sgrubb@redhat.com> 1.3.1-2
- Make more adjustments for python 2.5

* Sun Dec 10 2006 Steve Grubb <sgrubb@redhat.com> 1.3.1-1
- Fix a couple parsing problems (#217952)
- Add tgkill to S390* syscall tables (#218484)
- Fix error messages in ausearch/aureport

* Wed Dec  6 2006 Jeremy Katz <katzj@redhat.com> - 1.3-4
- rebuild against python 2.5

* Thu Nov 30 2006 Steve Grubb <sgrubb@redhat.com> 1.3-3
- Fix timestamp for libaudit.conf (#218053)

* Thu Nov 30 2006 Steve Grubb <sgrubb@redhat.com> 1.3-2
- Fix minor parsing problem and add new msg types

* Tue Nov 28 2006 Steve Grubb <sgrubb@redhat.com> 1.3-1
- ausearch & aureport implement uid/gid caching
- In ausearch & aureport, extract addr when hostname is unknown
- In ausearch & aureport, test audit log presence O_RDONLY
- New ausearch/aureport time keywords: recent, this-week, this-month, this-year
- Added --add & --delete option to aureport
- Update res parsing in config change events
- Increase the size on audit daemon buffers
- Parse avc_path records in ausearch/aureport
- ausearch has new output mode, raw, for extracting events
- ausearch/aureport can now read stdin
- Rework AVC processing in ausearch/aureport
- Added long options to ausearch and aureport

* Tue Oct 24 2006 Steve Grubb <sgrubb@redhat.com> 1.2.9-1
- In auditd if num_logs is zero, don't rotate on SIGUSR1 (#208834)
- Fix some defines in libaudit.h
- Some auditd config strings were not initialized in aureport (#211443)
- Updated man pages
- Add Netlabel event types to libaudit
- Update aureports to current audit event types
- Update autrace a little
- Deprecated all the old audit_rule functions from public API
- Drop auparse library for the moment

* Fri Sep 29 2006 Steve Grubb <sgrubb@redhat.com> 1.2.8-1
- Add dist tag and bump version (#208532)
- Make internal auditd buffers bigger for context info
- Correct address resolving of hostname in logging functions
- Do not allow multiple msgtypes in same audit rule in auditctl (#207666)
- Only =, != operators for arch & inode fields in auditctl (#206427)
- Updated audit message type table
- Remove watches from aureport since FS_WATCH is deprecated
- Add audit_log_avc back temporarily (#208152)