diff -urNp audit-3.0.orig/auparse/normalize.c audit-3.0/auparse/normalize.c
--- audit-3.0.orig/auparse/normalize.c	2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize.c	2018-07-01 10:22:28.772089011 -0400
@@ -910,6 +910,7 @@ static const char *normalize_determine_e
 		case AUDIT_NETFILTER_CFG:
 		case AUDIT_FEATURE_CHANGE ... AUDIT_REPLACE:
 		case AUDIT_USER_DEVICE:
+		case AUDIT_SOFTWARE_UPDATE:
 			kind = NORM_EVTYPE_CONFIG;
 			break;
 		case AUDIT_SECCOMP:
@@ -1187,6 +1188,11 @@ static value_t find_simple_object(aupars
 			f = auparse_find_field(au, "device");
 			D.thing.what = NORM_WHAT_KEYSTROKES;
 			break;
+		case AUDIT_SOFTWARE_UPDATE:
+			auparse_first_record(au);
+			f = auparse_find_field(au, "sw");
+			D.thing.what = NORM_WHAT_SOFTWARE;
+			break;
 		case AUDIT_VIRT_MACHINE_ID:
 			f = auparse_find_field(au, "vm");
 			D.thing.what = NORM_WHAT_VM;
@@ -1286,6 +1292,9 @@ static value_t find_simple_obj_secondary
 		case AUDIT_CRYPTO_SESSION:
 			f = auparse_find_field(au, "rport");
 			break;
+		case AUDIT_SOFTWARE_UPDATE:
+			f = auparse_find_field(au, "sw_type");
+			break;
 		default:
 			break;
 	}
@@ -1311,6 +1320,9 @@ static value_t find_simple_obj_primary2(
 		case AUDIT_VIRT_RESOURCE:
 			f = auparse_find_field(au, "vm");
 			break;
+		case AUDIT_SOFTWARE_UPDATE:
+			f = auparse_find_field(au, "root_dir");
+			break;
 		default:
 			break;
 	}
@@ -1628,6 +1640,10 @@ map:
 	if (D.opt == NORM_OPT_ALL) {
 		if (type == AUDIT_USER_DEVICE) {
 			add_obj_attr(au, "uuid", 0);
+		} else if (type == AUDIT_SOFTWARE_UPDATE) {
+			auparse_first_record(au);
+			add_obj_attr(au, "key_enforce", 0);
+			add_obj_attr(au, "gpg_res", 0);
 		}
 	}
 
diff -urNp audit-3.0.orig/auparse/normalize-internal.h audit-3.0/auparse/normalize-internal.h
--- audit-3.0.orig/auparse/normalize-internal.h	2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize-internal.h	2018-07-01 10:24:07.029078467 -0400
@@ -1,6 +1,6 @@
 /*
  * normalize-internal.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -96,6 +96,7 @@
 #define NORM_WHAT_MEMORY	20
 #define NORM_WHAT_KEYSTROKES	21
 #define NORM_WHAT_DEVICE	22
+#define NORM_WHAT_SOFTWARE	23
 
 // This enum is used to map events to what kind they are
 #define NORM_EVTYPE_UNKNOWN		0
diff -urNp audit-3.0.orig/auparse/normalize_obj_kind_map.h audit-3.0/auparse/normalize_obj_kind_map.h
--- audit-3.0.orig/auparse/normalize_obj_kind_map.h	2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize_obj_kind_map.h	2018-07-01 10:22:28.806089007 -0400
@@ -1,6 +1,6 @@
 /*
  * normalize_obj_kind_map.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -45,4 +45,5 @@ _S(NORM_WHAT_MAC_CONFIG, "mac-config")
 _S(NORM_WHAT_MEMORY, "memory")
 _S(NORM_WHAT_KEYSTROKES, "keystrokes")
 _S(NORM_WHAT_DEVICE, "device")
+_S(NORM_WHAT_SOFTWARE, "software")
 //_S(, "")
diff -urNp audit-3.0.orig/auparse/normalize_record_map.h audit-3.0/auparse/normalize_record_map.h
--- audit-3.0.orig/auparse/normalize_record_map.h	2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/normalize_record_map.h	2018-07-01 10:22:28.806089007 -0400
@@ -1,6 +1,6 @@
 /*
  * normalize_record_map.h
- * Copyright (c) 2016-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright (c) 2016-18 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -63,6 +63,7 @@ _S(AUDIT_MAC_CHECK, "mac-permission")
 _S(AUDIT_ACCT_LOCK, "locked-account")
 _S(AUDIT_ACCT_UNLOCK, "unlocked-account")
 _S(AUDIT_USER_DEVICE, "configured-device")
+_S(AUDIT_SOFTWARE_UPDATE, "installed-software")
 _S(AUDIT_DAEMON_START, "started-audit")
 _S(AUDIT_DAEMON_END, "shutdown-audit")
 _S(AUDIT_DAEMON_ABORT, "aborted-auditd-startup")
diff -urNp audit-3.0.orig/auparse/typetab.h audit-3.0/auparse/typetab.h
--- audit-3.0.orig/auparse/typetab.h	2018-05-21 13:38:08.000000000 -0400
+++ audit-3.0/auparse/typetab.h	2018-07-01 10:22:28.807089007 -0400
@@ -1,5 +1,5 @@
 /* typetab.h --
- * Copyright 2007-09,2011-12,2014-17 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2007-09,2011-12,2014-18 Red Hat Inc., Durham, North Carolina.
  * All Rights Reserved.
  *
  * This library is free software; you can redistribute it and/or
@@ -140,4 +140,5 @@ _S(AUPARSE_TYPE_MACPROTO,	"macproto"	)
 _S(AUPARSE_TYPE_ESCAPED,	"invalid_context")
 _S(AUPARSE_TYPE_IOCTL_REQ,	"ioctlcmd"	)
 _S(AUPARSE_TYPE_FANOTIFY,	"resp"		)
-
+_S(AUPARSE_TYPE_ESCAPED,	"sw"		)
+_S(AUPARSE_TYPE_ESCAPED,	"root_dir"	)