backport some patches

audit.spec

@@ -2,7 +2,7 @@ Summary:            User space tools for kernel auditing
 Name:               audit
 Epoch:              1
 Version:            3.0
-Release:            3
+Release:            4
 License:            GPLv2+ and LGPLv2+
 URL:                https://people.redhat.com/sgrubb/audit/
 Source0:            https://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
@@ -16,6 +16,23 @@ Patch4:          backport-Add-missing-call-to-free_interpretation_list.patch
 Patch5:          backport-fix-2-more-issues-found-by-fuzzing.patch
 Patch6:          backport-Fix-an-auparse-memory-leak-caused-in-recent-glibc.patch
 Patch7:          backport-Fix-double-free-with-corrupted-logs.patch
+Patch8:          backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch
+Patch9:          backport-Fix-the-closing-timing-of-audit_fd-166.patch
+Patch10:         backport-Fix-some-string-length-issues.patch
+Patch11:         backport-Move-the-free_config-to-success-path.patch
+Patch12:         backport-Check-for-fuzzer-induced-invalid-value.patch
+Patch13:         backport-error-out-if-log-is-mangled.patch
+Patch14:         backport-Dont-run-off-the-end-with-corrupt-logs.patch
+Patch15:         backport-Another-hardening-measure-for-corrupted-logs.patch
+Patch16:         backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch
+Patch17:         backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch
+Patch18:         backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch
+Patch19:         backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch
+Patch20:         backport-Check-ctime-return-code.patch
+Patch21:         backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch
+Patch22:         backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch
+Patch23:         backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch
+Patch24:         backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch
 
 BuildRequires:      gcc swig libtool systemd kernel-headers >= 2.6.29
 BuildRequires:      openldap-devel krb5-devel libcap-ng-devel
@@ -346,6 +363,25 @@ fi
 %attr(644,root,root) %{_mandir}/man8/*.8.gz
 
 %changelog
+* Tue Nov 16 2021 yixiangzhike <yixiangzhike007@163.com> - 3.0-4
+- backport some patches 
+   Turn libaucommon into a libtool convenience library
+   Fix the closing timing of audit_fd
+   Fix some string length issues
+   Move the free_config to success path
+   Check for fuzzer induced invalid value
+   error out if log is mangled
+   Dont run off the end with corrupt logs
+   Another hardening measure for corrupted logs
+   Fix busy loop in normalizer when logs are corrupt
+   Better fix for busy loop in normalizer when logs are corrupt
+   flush uid gid caches when user group added deleted modified
+   In auditd check if log_file is valid before closing handle
+   Check ctime return code
+   When interpreting if val is NULL return an empty string
+   auditd.service Restart on failure ignoring some exit
+   In auditd close the logging file descriptor when logging is suspended
+
 * Wed Sep 1 2021 steven.ygui <steven_ygui@163.com> - 3.0-3
 - backport some patches to fix memory leak and double free issues
 

backport-0001-In-auditd-close-the-logging-file-descriptor-when-log.patch

@@ -0,0 +1,32 @@
+From d62c38a55520e58220d8e42497c4ab343185106f Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 28 Oct 2021 13:22:24 -0400
+Subject: [PATCH 2237/2246] In auditd, close the logging file descriptor when
+ logging is suspended
+
+---
+ src/auditd-event.c | 8 ++++++++
+ 1 files changed, 8 insertions(+)
+
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index f886b67..4dee990 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -723,6 +723,14 @@ static void check_log_file_size(void)
+ 			case SZ_SUSPEND:
+ 				audit_msg(LOG_ERR,
+ 		    "Audit daemon is suspending logging due to logfile size.");
++				// We need to close the file so that manual
++				// intervention can move or delete the file.
++				// We don't want to keep logging to a deleted
++				// file.
++				if (log_file)
++					fclose(log_file);
++				log_file = NULL;
++				log_fd = -1;
+ 				logging_suspended = 1;
+ 				break;
+ 			case SZ_ROTATE:
+-- 
+1.8.3.1
+

backport-0002-In-auditd-close-the-logging-file-descriptor-when-log.patch

@@ -0,0 +1,59 @@
+From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Mon, 1 Nov 2021 08:29:56 -0400
+Subject: [PATCH 2244/2246] In auditd, close the logging file descriptor when
+ logging is suspended
+
+---
+ src/auditd-event.c | 21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index 4a0a351..e88ef6e 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -861,6 +861,13 @@ static void do_space_left_action(int admin)
+ 		case FA_SUSPEND:
+ 			audit_msg(LOG_ALERT,
+ 			    "Audit daemon is suspending logging due to low disk space.");
++			// We need to close the file so that manual
++			// intervention can move or delete the file. We
++			// don't want to keep logging to a deleted file.
++			if (log_file)
++				fclose(log_file);
++			log_file = NULL;
++			log_fd = -1;
+ 			logging_suspended = 1;
+ 			break;
+ 		case FA_SINGLE:
+@@ -909,6 +916,13 @@ static void do_disk_full_action(void)
+ 		case FA_SUSPEND:
+ 			audit_msg(LOG_ALERT,
+ 			    "Audit daemon is suspending logging due to no space left on logging partition.");
++			// We need to close the file so that manual
++			// intervention can move or delete the file. We
++			// don't want to keep logging to a deleted file.
++			if (log_file)
++				fclose(log_file);
++			log_file = NULL;
++			log_fd = -1;
+ 			logging_suspended = 1;
+ 			break;
+ 		case FA_SINGLE:
+@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err)
+ 		case FA_SUSPEND:
+ 			audit_msg(LOG_ALERT,
+ 			    "Audit daemon is suspending logging due to previously mentioned write error");
++			// We need to close the file so that manual
++			// intervention can move or delete the file. We
++			// don't want to keep logging to a deleted file.
++			if (log_file)
++				fclose(log_file);
++			log_file = NULL;
++			log_fd = -1;
+ 			logging_suspended = 1;
+ 			break;
+ 		case FA_SINGLE:
+-- 
+1.8.3.1
+

backport-Another-hardening-measure-for-corrupted-logs.patch

@@ -0,0 +1,85 @@
+From ab8f522953a56c860cac2cca2a7d7874419111d5 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 7 Aug 2021 13:13:19 -0400
+Subject: [PATCH 2198/2246] Another hardening measure for corrupted logs
+
+---
+ src/ausearch-lookup.c |  3 +++
+ src/ausearch-parse.c  | 25 +++++++++++++++----------
+ 2 files changed, 18 insertions(+), 10 deletions(-)
+
+diff --git a/src/ausearch-lookup.c b/src/ausearch-lookup.c
+index e27c784..dd58c36 100644
+--- a/src/ausearch-lookup.c
++++ b/src/ausearch-lookup.c
+@@ -300,6 +300,9 @@ char *unescape(const char *buf)
+ 		while (isxdigit(*ptr))
+ 			ptr++;
+ 	}
++	if ((ptr - buf) == 0)
++		return NULL;
++
+ 	str = strndup(buf, ptr - buf);
+ 
+ 	if (*buf == '(')
+diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
+index d051137..78dc44c 100644
+--- a/src/ausearch-parse.c
++++ b/src/ausearch-parse.c
+@@ -1658,12 +1658,21 @@ static int parse_sockaddr(const lnode *n, search_items *s)
+ 	if (event_hostname || event_filename) {
+ 		str = strstr(n->message, "saddr=");
+ 		if (str) {
+-			int len;
++			unsigned int len = 0;
+ 			struct sockaddr *saddr;
+ 			char name[NI_MAXHOST];
+ 
+ 			str += 6;
+-			len = strlen(str)/2;
++			const char *ptr = str;
++			if (*ptr == '(') {
++				const char *ptr2 = strchr(ptr, ')');
++				if (ptr2)
++					len = (ptr2 - ptr) + 1;
++			} else {
++				while (isxdigit(ptr[len]))
++					len++;
++				len /= 2;
++			}
+ 			s->hostname = unescape(str);
+ 			if (s->hostname == NULL)
+ 				return 4;
+@@ -1683,17 +1692,13 @@ static int parse_sockaddr(const lnode *n, search_items *s)
+ 				}
+ 				len = sizeof(struct sockaddr_in6);
+ 			} else if (saddr->sa_family == AF_UNIX) {
+-				struct sockaddr_un *un =
+-					(struct sockaddr_un *)saddr;
+-				if (un->sun_path[0])
+-					len = strlen(un->sun_path);
+-				else // abstract name
+-					len = strlen(&un->sun_path[1]);
+-				if (len == 0) {
++				if (len < 4) {
+ 					fprintf(stderr,
+ 						"sun_path len too short\n");
+ 					return 3;
+ 				}
++				struct sockaddr_un *un =
++					(struct sockaddr_un *)saddr;
+ 				if (event_filename) {
+ 					if (!s->filename) {
+ 						//create
+@@ -1736,7 +1741,7 @@ static int parse_sockaddr(const lnode *n, search_items *s)
+ 				s->hostname = NULL;
+ 				return 0;
+ 			}
+-			if (getnameinfo(saddr, len, name, NI_MAXHOST, 
++			if (getnameinfo(saddr, len, name, NI_MAXHOST,
+ 					NULL, 0, NI_NUMERICHOST) ) {
+ 				free(s->hostname);
+ 				s->hostname = NULL;
+-- 
+1.8.3.1
+

backport-Better-fix-for-busy-loop-in-normalizer-when-logs-are.patch

@@ -0,0 +1,31 @@
+From ad62fa01c7a963c56bac75d8f7db6a5c76be4655 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 7 Aug 2021 13:59:40 -0400
+Subject: [PATCH 2200/2246] Better fix for busy loop in normalizer when logs
+ are corrupt
+
+---
+ auparse/normalize.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/auparse/normalize.c b/auparse/normalize.c
+index cd0a7c2..0ccabc5 100644
+--- a/auparse/normalize.c
++++ b/auparse/normalize.c
+@@ -346,10 +346,11 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall)
+ 			if ((strcmp(str, "unset") == 0) && errno == 0) {
+ 				// Only move it if its safe to
+ 				if (cnt < limit) {
+-					auparse_next_field(au);
++					if (auparse_next_field(au) == 0)
++						return;
+ 					cnt++;
+ 				} else
+-					break;
++					return;
+ 			} else
+ 				break;
+ 		}
+-- 
+1.8.3.1
+

backport-Check-ctime-return-code.patch

@@ -0,0 +1,47 @@
+From fd76e380ea117000d9d350405e2cfbd070c5c01a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 21 Aug 2021 10:18:30 -0400
+Subject: [PATCH 2213/2246] Check ctime return code
+
+---
+ tools/aulast/aulast.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/tools/aulast/aulast.c b/tools/aulast/aulast.c
+index c513aac..8a25f3b 100644
+--- a/tools/aulast/aulast.c
++++ b/tools/aulast/aulast.c
+@@ -96,8 +96,11 @@ static void report_session(lnode* cur)
+ 			int mins, hours, days;
+ 			if (notime)
+ 				printf("- %-7.5s", " ");
+-			else
+-				printf("- %-7.5s", ctime(&cur->end) + 11);
++			else {
++				char *ttime = ctime(&cur->end);
++				printf("- %-7.5s", ttime ? ttime + 11 :
++				       "bad value");
++			}
+ 			secs = cur->end - cur->start;
+ 			mins  = (secs / 60) % 60;
+ 			hours = (secs / 3600) % 24;
+@@ -128,10 +131,13 @@ static void report_session(lnode* cur)
+ 		strftime(start, sizeof(start), "%x %T", btm);
+ 		if (cur->end != 0) {
+ 			btm = localtime(&cur->end);
+-			strftime(end, sizeof(end), "%x %T", btm);
+-		      printf("    ausearch --start %s --end %s",
+-				start, end);
++			if (btm) {
++				strftime(end, sizeof(end), "%x %T", btm);
++				printf("    ausearch --start %s --end %s",
++					start, end);
++			} else goto no_end;
+ 		} else {
++no_end:
+ 		    printf("    ausearch --start %s", start);
+ 		}
+ 		if (cur->name == NULL)
+-- 
+1.8.3.1
+

backport-Check-for-fuzzer-induced-invalid-value.patch

@@ -0,0 +1,26 @@
+From a3db7a4f849f52105b13fa412e64fc76c6b2895b Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 5 Aug 2021 21:51:33 -0400
+Subject: [PATCH 2182/2246] Check for fuzzer induced invalid value
+
+---
+ auparse/ellist.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/auparse/ellist.c b/auparse/ellist.c
+index 17384a7..175e44e 100644
+--- a/auparse/ellist.c
++++ b/auparse/ellist.c
+@@ -151,6 +151,9 @@ static int parse_up_record(rnode* r)
+ 			n.val = strdup(val);
+ 			// Remove trailing punctuation
+ 			len = strlen(n.val);
++			// Check for invalid val
++			if (!len)
++				continue;
+ 			if (len && n.val[len-1] == ':') {
+ 				n.val[len-1] = 0;
+ 				len--;
+-- 
+1.8.3.1
+

backport-Dont-run-off-the-end-with-corrupt-logs.patch

@@ -0,0 +1,43 @@
+From 50c65ae25e64b7bd4489ce22a4c7789fa9a81f2f Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 7 Aug 2021 11:33:20 -0400
+Subject: [PATCH 2197/2246] Dont run off the end with corrupt logs
+
+---
+ src/ausearch-parse.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
+index 81ef319..d051137 100644
+--- a/src/ausearch-parse.c
++++ b/src/ausearch-parse.c
+@@ -1031,7 +1031,7 @@ static int parse_user(const lnode *n, search_items *s, anode *avc)
+ 		if (str) {
+ 			str += 5;
+ 			term = str;
+-			while (*term != ' ' && *term != ':')
++			while (*term != ' ' && *term != ':' && *term)
+ 				term++;
+ 			if (term == str)
+ 				return 24;
+@@ -1244,7 +1244,7 @@ skip:
+ 				char *end = str;
+ 				int legacy = 0;
+ 
+-				while (*end != ' ') {
++				while (*end != ' ' && *end) {
+ 					if (!isxdigit(*end)) {
+ 						legacy = 1;
+ 					}
+@@ -1295,7 +1295,7 @@ skip:
+ 				char *end = str;
+ 				int legacy = 0;
+ 
+-				while (*end != ' ') {
++				while (*end != ' ' && *end) {
+ 					if (!isxdigit(*end)) {
+ 						legacy = 1;
+ 					}
+-- 
+1.8.3.1
+

backport-Fix-busy-loop-in-normalizer-when-logs-are-corrupt.patch

@@ -0,0 +1,26 @@
+From 2b34fea50a9f6a65dd51a2b7abf67e6f19c8d1f5 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 7 Aug 2021 13:51:30 -0400
+Subject: [PATCH 2199/2246] Fix busy loop in normalizer when logs are corrupt
+
+---
+ auparse/normalize.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/auparse/normalize.c b/auparse/normalize.c
+index 99f9803..cd0a7c2 100644
+--- a/auparse/normalize.c
++++ b/auparse/normalize.c
+@@ -348,7 +348,8 @@ static void collect_id_obj2(auparse_state_t *au, const char *syscall)
+ 				if (cnt < limit) {
+ 					auparse_next_field(au);
+ 					cnt++;
+-				}
++				} else
++					break;
+ 			} else
+ 				break;
+ 		}
+-- 
+1.8.3.1
+

backport-Fix-some-string-length-issues.patch

@@ -0,0 +1,64 @@
+From 39f868fef95f95786358bc3690a327d4f11d2d43 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 3 Jun 2021 16:18:36 -0400
+Subject: [PATCH 2084/2246] Fix some string length issues
+
+In interpret, fix the size so that we need to size it again later if new
+strings get added. The ausearch/report issues have the size information
+available, so FORTIFY_SOURCE should keep things in check.
+---
+ auparse/interpret.c | 2 +-
+ src/aureport.c      | 4 ++--
+ src/ausearch.c      | 4 ++--
+ 3 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index e22cae7..5d6f31a 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -1242,7 +1242,7 @@ static const char *print_flags(const char *val)
+ {
+         int flags, cnt = 0;
+ 	size_t i;
+-	char *out, buf[80];
++	char *out, buf[sizeof(flag_strings)];
+ 
+         errno = 0;
+         flags = strtoul(val, NULL, 16);
+diff --git a/src/aureport.c b/src/aureport.c
+index d0251a4..22618f0 100644
+--- a/src/aureport.c
++++ b/src/aureport.c
+@@ -168,10 +168,10 @@ static int process_logs(void)
+ 	int num = 0;
+ 
+ 	if (user_file && userfile_is_dir) {
+-		char dirname[MAXPATHLEN];
++		char dirname[MAXPATHLEN+1];
+ 		clear_config (&config);
+ 
+-		strcpy(dirname, user_file);
++		strncpy(dirname, user_file, MAXPATHLEN-32);
+ 		if (dirname[strlen(dirname)-1] != '/')
+ 			strcat(dirname, "/");
+ 		strcat (dirname, "audit.log");
+diff --git a/src/ausearch.c b/src/ausearch.c
+index 97f89bf..768807e 100644
+--- a/src/ausearch.c
++++ b/src/ausearch.c
+@@ -228,10 +228,10 @@ static int process_logs(void)
+ 	int ret;
+ 
+ 	if (user_file && userfile_is_dir) {
+-		char dirname[MAXPATHLEN];
++		char dirname[MAXPATHLEN+1];
+ 		clear_config (&config);
+ 
+-		strcpy(dirname, user_file);
++		strncpy(dirname, user_file, MAXPATHLEN-32);
+ 		if (dirname[strlen(dirname)-1] != '/')
+ 				strcat(dirname, "/");
+ 		strcat (dirname, "audit.log");
+-- 
+1.8.3.1
+

backport-Fix-the-closing-timing-of-audit_fd-166.patch

@@ -0,0 +1,28 @@
+From 72996b1821b5dbd22f5e08c477660a75a38e4414 Mon Sep 17 00:00:00 2001
+From: MIZUTA Takeshi <mizuta.takeshi@fujitsu.com>
+Date: Wed, 14 Apr 2021 20:08:17 +0900
+Subject: [PATCH 2048/2246] Fix the closing timing of audit_fd (#166)
+
+---
+ lib/netlink.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/netlink.c b/lib/netlink.c
+index 9525b8d..f7cbeb0 100644
+--- a/lib/netlink.c
++++ b/lib/netlink.c
+@@ -64,10 +64,10 @@ int audit_open(void)
+ 	}
+ 	if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
+ 		saved_errno = errno;
+-		close(fd);
+ 		audit_msg(LOG_ERR, 
+ 			"Error setting audit netlink socket CLOEXEC flag (%s)", 
+ 			strerror(errno));
++		close(fd);
+ 		errno = saved_errno;
+ 		return -1;
+ 	}
+-- 
+1.8.3.1
+

backport-In-auditd-check-if-log_file-is-valid-before-closing-.patch

@@ -0,0 +1,135 @@
+From 6531c7dfb832ea245d8004662ea7c4e90107c0df Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Wed, 11 Aug 2021 15:10:18 -0400
+Subject: [PATCH 2207/2246] In auditd, check if log_file is valid before
+ closing handle
+
+---
+ src/auditd-event.c | 44 +++++++++++++++++++++++++++++++----------------
+ 1 files changed, 29 insertions(+), 15 deletions(-)
+
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index 3655726..788c44a 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -71,7 +71,7 @@ static void init_flush_thread(void);
+ /* Local Data */
+ static struct daemon_conf *config;
+ static volatile int log_fd;
+-static FILE *log_file;
++static FILE *log_file = NULL;
+ static unsigned int disk_err_warning = 0;
+ static int fs_space_warning = 0;
+ static int fs_admin_space_warning = 0;
+@@ -174,7 +175,8 @@ int init_event(struct daemon_conf *conf)
+ 	format_buf = (char *)malloc(FORMAT_BUF_LEN);
+ 	if (format_buf == NULL) {
+ 		audit_msg(LOG_ERR, "No memory for formatting, exiting");
+-		fclose(log_file);
++		if (log_file)
++			fclose(log_file);
+ 		log_file = NULL;
+ 		return 1;
+ 	}
+@@ -212,7 +214,8 @@ static void *flush_thread_main(void *arg)
+ 		flush = 0;
+ 		pthread_mutex_unlock(&flush_lock);
+ 
+-		fsync(log_fd);
++		if (log_fd >= 0)
++			fsync(log_fd);
+ 	}
+ 	return NULL;
+ }
+@@ -589,7 +592,8 @@ void handle_event(struct auditd_event *e)
+ 				if (config->daemonize == D_BACKGROUND) {
+ 					if (config->flush == FT_INCREMENTAL) {
+ 						/* EIO is only likely failure */
+-						if (fsync(log_fd) != 0) {
++						if (log_fd >= 0 &&
++							fsync(log_fd) != 0) {
+ 						     do_disk_error_action(
+ 							"fsync",
+ 							errno);
+@@ -744,6 +748,9 @@ static void check_space_left(void)
+ 	int rc;
+ 	struct statfs buf;
+ 
++	if (log_fd < 0)
++		return;
++
+         rc = fstatfs(log_fd, &buf);
+         if (rc == 0) {
+ 		if (buf.f_bavail < 5) {
+@@ -831,7 +838,8 @@ static void do_space_left_action(int admin)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -881,7 +889,8 @@ static void do_disk_full_action(void)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -928,7 +937,8 @@ static void do_disk_error_action(const char *func, int err)
+ 		case FA_EXEC:
+ 			// Close the logging file in case the script zips or
+ 			// moves the file. We'll reopen in sigusr2 handler
+-			fclose(log_file);
++			if (log_file)
++				fclose(log_file);
+ 			log_file = NULL;
+ 			log_fd = -1;
+ 			logging_suspended = 1;
+@@ -1053,17 +1063,21 @@ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs)
+ 	/* Close audit file. fchmod and fchown errors are not fatal because we
+ 	 * already adjusted log file permissions and ownership when opening the
+ 	 * log file. */
+-	if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR) < 0){
+-		audit_msg(LOG_WARNING, "Couldn't change permissions while "
++	if (log_fd >= 0) {
++		if (fchmod(log_fd, config->log_group ? S_IRUSR|S_IRGRP :
++			  S_IRUSR) < 0){
++		    audit_msg(LOG_WARNING, "Couldn't change permissions while "
+ 			"rotating log file (%s)", strerror(errno));
+-	}
+-	if (fchown(log_fd, 0, config->log_group) < 0) {
+-		audit_msg(LOG_WARNING, "Couldn't change ownership while "
++		}
++		if (fchown(log_fd, 0, config->log_group) < 0) {
++		    audit_msg(LOG_WARNING, "Couldn't change ownership while "
+ 			"rotating log file (%s)", strerror(errno));
++		}
+ 	}
+-	fclose(log_file);
++	if (log_file)
++		fclose(log_file);
+ 	log_file = NULL;
+-	
++
+ 	/* Rotate */
+ 	len = strlen(config->log_file) + 16;
+ 	oldname = (char *)malloc(len);
+@@ -1470,7 +1484,8 @@ static void reconfigure(struct auditd_event *e)
+ 		free((void *)nconf->log_file);
+ 
+ 	if (need_reopen) {
+-		fclose(log_file);
++		if (log_file)
++			fclose(log_file);
+ 		log_file = NULL;
+ 		fix_disk_permissions();
+ 		if (open_audit_log()) {
+-- 
+1.8.3.1
+

backport-Move-the-free_config-to-success-path.patch

@@ -0,0 +1,28 @@
+From d89e5647d9e090f45146c144d920bd1f686a8230 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 15 Jul 2021 11:36:17 -0400
+Subject: [PATCH 2163/2246] Move the free_config to success path
+
+---
+ src/auditd.c | 4 +++---
+ 1 file changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/src/auditd.c b/src/auditd.c
+index ca69d3b..5478cc4 100644
+--- a/src/auditd.c
++++ b/src/auditd.c
+@@ -457,8 +457,10 @@ static int become_daemon(void)
+ 				return -1;
+ 
+ 			/* Success - die a happy death */
+-			if (status == SUCCESS)
++			if (status == SUCCESS) {
++				free_config(&config);
+ 				_exit(0);
++			}
+ 			return -1;
+ 	}
+ 
+-- 
+1.8.3.1
+

backport-Turn-libaucommon-into-a-libtool-convenience-library-.patch

@@ -0,0 +1,118 @@
+From dcbc6c76b10651c1d1b27b95869ab82ee2153afe Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@users.noreply.github.com>
+Date: Tue, 5 Jan 2021 19:29:44 +0100
+Subject: [PATCH 1988/2246] Turn libaucommon into a libtool convenience library
+ (#147)
+
+This makes sure that the functions compiled into libaucommon
+(audit_strsplit_r,...) end up in the libaudit/libauparse static library
+
+Fixes: #146
+---
+ audisp/plugins/remote/Makefile.am | 2 +-
+ audisp/plugins/syslog/Makefile.am | 2 +-
+ auparse/Makefile.am               | 4 ++--
+ auparse/test/Makefile.am          | 6 +++---
+ common/Makefile.am                | 6 +++---
+ lib/Makefile.am                   | 4 ++--
+ 6 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/audisp/plugins/remote/Makefile.am b/audisp/plugins/remote/Makefile.am
+index 0066e25..bd3f301 100644
+--- a/audisp/plugins/remote/Makefile.am
++++ b/audisp/plugins/remote/Makefile.am
+@@ -33,7 +33,7 @@ man_MANS = audisp-remote.8 audisp-remote.conf.5
+ check_PROGRAMS = test-queue
+ TESTS = $(check_PROGRAMS)
+ 
+-audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.a
++audisp_remote_DEPENDENCIES = ${top_builddir}/common/libaucommon.la
+ audisp_remote_SOURCES = audisp-remote.c remote-config.c queue.c
+ audisp_remote_CFLAGS = -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -Wundef
+ audisp_remote_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+diff --git a/audisp/plugins/syslog/Makefile.am b/audisp/plugins/syslog/Makefile.am
+index 55ca77b..353229e 100644
+--- a/audisp/plugins/syslog/Makefile.am
++++ b/audisp/plugins/syslog/Makefile.am
+@@ -29,7 +29,7 @@ plugin_conf = syslog.conf
+ sbin_PROGRAMS = audisp-syslog
+ man_MANS = audisp-syslog.8
+ 
+-audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.a
++audisp_syslog_DEPENDENCIES = ${top_builddir}/common/libaucommon.la
+ audisp_syslog_SOURCES = audisp-syslog.c
+ audisp_syslog_CFLAGS = -fPIE -DPIE -g -D_GNU_SOURCE -Wundef
+ audisp_syslog_LDFLAGS = -pie -Wl,-z,relro -Wl,-z,now
+diff --git a/auparse/Makefile.am b/auparse/Makefile.am
+index b853003..d180c34 100644
+--- a/auparse/Makefile.am
++++ b/auparse/Makefile.am
+@@ -45,8 +45,8 @@ libauparse_la_SOURCES = lru.c interpret.c nvlist.c ellist.c		\
+ 	normalize_record_map.h normalize_syscall_map.h
+ nodist_libauparse_la_SOURCES = $(BUILT_SOURCES)
+ 
+-libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
+-libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.a
++libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
++libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h ${top_builddir}/common/libaucommon.la
+ libauparse_la_LDFLAGS = -Wl,-z,relro
+ 
+ message.c:
+diff --git a/auparse/test/Makefile.am b/auparse/test/Makefile.am
+index 89ffcc4..11d10b0 100644
+--- a/auparse/test/Makefile.am
++++ b/auparse/test/Makefile.am
+@@ -29,17 +29,17 @@ AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
+ 
+ lookup_test_SOURCES = lookup_test.c
+ lookup_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+-	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
++	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
+ 
+ auparse_test_SOURCES = auparse_test.c
+ auparse_test_LDFLAGS = -static
+ auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+-	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
++	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
+ 
+ auparselol_test_SOURCES = auparselol_test.c
+ auparselol_test_LDFLAGS = -static
+ auparselol_test_LDADD = ${top_builddir}/auparse/libauparse.la \
+-	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.a
++	${top_builddir}/lib/libaudit.la ${top_builddir}/common/libaucommon.la
+ 
+ drop_srcdir = sed 's,$(srcdir)/test,test,'
+ 
+diff --git a/common/Makefile.am b/common/Makefile.am
+index 9e00cbc..8b9aacb 100644
+--- a/common/Makefile.am
++++ b/common/Makefile.am
+@@ -24,7 +24,7 @@ CONFIG_CLEAN_FILES = *.rej *.orig
+ AM_CPPFLAGS = -D_GNU_SOURCE -fPIC -DPIC -I${top_srcdir} -I${top_srcdir}/lib
+ 
+ noinst_HEADERS = common.h
+-libaucommon_a_DEPENDENCIES = ../config.h
+-libaucommon_a_SOURCES = audit-fgets.c strsplit.c
+-noinst_LIBRARIES = libaucommon.a
++libaucommon_la_DEPENDENCIES = ../config.h
++libaucommon_la_SOURCES = audit-fgets.c strsplit.c
++noinst_LTLIBRARIES = libaucommon.la
+ 
+diff --git a/lib/Makefile.am b/lib/Makefile.am
+index 107c444..12e5861 100644
+--- a/lib/Makefile.am
++++ b/lib/Makefile.am
+@@ -38,8 +38,8 @@ include_HEADERS = libaudit.h
+ libaudit_la_SOURCES = libaudit.c message.c netlink.c \
+ 	lookup_table.c audit_logging.c deprecated.c \
+ 	dso.h private.h errormsg.h
+-libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.a
+-libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.a
++libaudit_la_LIBADD = $(CAPNG_LDADD) ${top_builddir}/common/libaucommon.la
++libaudit_la_DEPENDENCIES = $(libaudit_la_SOURCES) ../config.h ${top_builddir}/common/libaucommon.la
+ libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO)
+ nodist_libaudit_la_SOURCES = $(BUILT_SOURCES)
+ 
+-- 
+1.8.3.1
+

backport-When-interpreting-if-val-is-NULL-return-an-empty-str.patch

@@ -0,0 +1,27 @@
+From ce58837d44b7d9fcb4e140c23f68e0c94d95ab6e Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 21 Aug 2021 10:20:11 -0400
+Subject: [PATCH 2214/2246] When interpreting, if val is NULL return an empty
+ string
+
+---
+ auparse/interpret.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 177ab82..63829aa 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -840,6 +840,9 @@ static char *print_escaped(const char *val)
+ {
+ 	char *out;
+ 
++	if (val == NULL)
++                        return strdup(" ");
++
+         if (*val == '"') {
+                 char *term;
+                 val++;
+-- 
+1.8.3.1
+

backport-auditd.service-Restart-on-failure-ignoring-some-exit.patch

@@ -0,0 +1,35 @@
+From 30382bfcc0f64f451bc084c9657a546cb34492a7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= <travier@redhat.com>
+Date: Fri, 1 Oct 2021 16:35:57 +0200
+Subject: [PATCH 2228/2246] auditd.service: Restart 'on-failure', ignoring some
+ exit codes (#217)
+
+Use `Restart=on-failure` to automatically restart `auditd`. Do not
+restart for intentional exits. See EXIT CODES section in auditd(8).
+
+See:
+- https://www.freedesktop.org/software/systemd/man/systemd.service.html#Restart=
+- https://www.freedesktop.org/software/systemd/man/systemd.service.html#RestartPreventExitStatus=
+
+Fixes: https://github.com/linux-audit/audit-userspace/issues/211
+---
+ init.d/auditd.service | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index 67cda58..e801281 100644
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -27,6 +27,9 @@ ExecStartPost=-/sbin/augenrules --load
+ # By default we don't clear the rules on exit. To enable this, uncomment
+ # the next line after copying the file to /etc/systemd/system/auditd.service
+ #ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
++Restart=on-failure
++# Do not restart for intentional exits. See EXIT CODES section in auditd(8).
++RestartPreventExitStatus=2 4 6
+ 
+ ### Security Settings ###
+ MemoryDenyWriteExecute=true
+-- 
+1.8.3.1
+

backport-error-out-if-log-is-mangled.patch

@@ -0,0 +1,27 @@
+From fc97c70fdba18280985747198a6ce836d39cce9e Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Sat, 7 Aug 2021 10:29:07 -0400
+Subject: [PATCH 2196/2246] error out if log is mangled
+
+---
+ src/ausearch-parse.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
+index b0c8b2a..81ef319 100644
+--- a/src/ausearch-parse.c
++++ b/src/ausearch-parse.c
+@@ -1995,6 +1995,10 @@ other_avc:
+ 			*term = '"';
+ 		} else { 
+ 			s->comm = unescape(str);
++			if (s->comm == NULL) {
++				rc = 11;
++				goto err;
++			}
+ 			term = str + 6;
+ 		}
+ 	}
+-- 
+1.8.3.1
+

backport-flush-uid-gid-caches-when-user-group-added-deleted-m.patch

@@ -0,0 +1,128 @@
+From 8662f61108f8b9365f96ef49ca8ca331a7880f24 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Tue, 10 Aug 2021 11:27:16 -0400
+Subject: [PATCH 2205/2246] flush uid/gid caches when user/group
+ added/deleted/modified
+
+It was reported in issue #209 that in the enriched format that auditd
+is creating the wrong account associations. This is due to caching
+previous lookups. The fix is to monitor for account lifecycle changes
+and flush the LRUs if any are seen.
+---
+ auparse/auparse-idata.h |  3 ++-
+ auparse/interpret.c     | 12 ++++++++++++
+ src/auditd-event.c      | 27 +++++++++++++++++++++++++--
+ 3 files changed, 39 insertions(+), 3 deletions(-)
+
+diff --git a/auparse/auparse-idata.h b/auparse/auparse-idata.h
+index 660901a..eaca86a 100644
+--- a/auparse/auparse-idata.h
++++ b/auparse/auparse-idata.h
+@@ -1,6 +1,6 @@
+ /*
+ * idata.h - Header file for ausearch-lookup.c
+-* Copyright (c) 2013,2016-17 Red Hat Inc., Durham, North Carolina.
++* Copyright (c) 2013,2016-17,2021 Red Hat Inc.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+@@ -45,6 +45,7 @@ char *auparse_do_interpretation(int type, const idata *id,
+ void _auparse_load_interpretations(const char *buf);
+ void _auparse_free_interpretations(void);
+ const char *_auparse_lookup_interpretation(const char *name);
++void _auparse_flush_caches(void);
+ 
+ #endif
+ 
+diff --git a/auparse/interpret.c b/auparse/interpret.c
+index 046867b..eef377a 100644
+--- a/auparse/interpret.c
++++ b/auparse/interpret.c
+@@ -653,6 +653,18 @@ void aulookup_destroy_gid_list(void)
+ 	gid_cache_created = 0;
+ }
+ 
++void _auparse_flush_caches(void)
++{
++	if (uid_cache_created) {
++		destroy_lru(uid_cache);
++		uid_cache_created = 0;
++	}
++	if (gid_cache_created) {
++		destroy_lru(gid_cache);
++		gid_cache_created = 0;
++	}
++}
++
+ static const char *print_uid(const char *val, unsigned int base)
+ {
+         int uid;
+diff --git a/src/auditd-event.c b/src/auditd-event.c
+index cb29fee..3655726 100644
+--- a/src/auditd-event.c
++++ b/src/auditd-event.c
+@@ -42,6 +42,7 @@
+ #include "libaudit.h"
+ #include "private.h"
+ #include "auparse.h"
++#include "auparse-idata.h"
+ 
+ /* This is defined in auditd.c */
+ extern volatile int stop;
+@@ -56,7 +57,7 @@ static void do_space_left_action(int admin);
+ static void do_disk_full_action(void);
+ static void do_disk_error_action(const char *func, int err);
+ static void fix_disk_permissions(void);
+-static void check_excess_logs(void); 
++static void check_excess_logs(void);
+ static void rotate_logs_now(void);
+ static void rotate_logs(unsigned int num_logs, unsigned int keep_logs);
+ static void shift_logs(void);
+@@ -394,7 +395,7 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 	        	snprintf(format_buf, MAX_AUDIT_MESSAGE_LENGTH,
+ 		    "type=DAEMON_ERR op=format-enriched msg=NULL res=failed");
+ 	} else {
+-		int rc;
++		int rc, rtype;
+ 		size_t mlen, len;
+		auparse_state_t *au;
+ 		char *message;
+@@ -427,6 +428,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 
+ 		// Loop over all fields while possible to add field
+ 		rc = auparse_first_record(au);
++		rtype = auparse_get_type(au);
++		switch (rtype)
++		{	// Flush before adding to pickup new associations
++			case AUDIT_ADD_USER:
++			case AUDIT_ADD_GROUP:
++				_auparse_flush_caches();
++				break;
++			default:
++				break;
++		}
++
+ 		while (rc > 0 && len > MIN_SPACE_LEFT) {
+ 			// See what kind of field we have
+ 			size_t vlen;
+@@ -454,6 +466,17 @@ static const char *format_enrich(const struct audit_reply *rep)
+ 			rc = auparse_next_field(au);
+ 		}
+ 
++		switch(rtype)
++		{	// Flush after modification to remove stale entries
++			case AUDIT_USER_MGMT:
++			case AUDIT_DEL_USER:
++			case AUDIT_DEL_GROUP:
++			case AUDIT_GRP_MGMT:
++				_auparse_flush_caches();
++				break;
++			default:
++				break;
++		}
+ 		auparse_destroy_ext(au, AUPARSE_DESTROY_COMMON);
+ 		free(message);
+ 	}
+-- 
+1.8.3.1
+