Index: contrib/openbsm/bin/praudit/praudit.c
===================================================================
--- contrib/openbsm/bin/praudit/praudit.c
+++ contrib/openbsm/bin/praudit/praudit.c
@@ -36,10 +36,15 @@
  * praudit [-lnpx] [-r | -s] [-d del] [file ...]
  */
 
+#include <sys/capsicum.h>
+
 #include <bsm/libbsm.h>
 
+#include <err.h>
+#include <errno.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <time.h>
 #include <unistd.h>
 
 extern char	*optarg;
@@ -106,6 +111,7 @@
 int
 main(int argc, char **argv)
 {
+	cap_rights_t rights;
 	int ch;
 	int i;
 	FILE *fp;
@@ -153,17 +159,47 @@
 	if (oflags & AU_OFLAG_XML)
 		au_print_xml_header(stdout);
 
+	/* Cache timezone information before entering Capsicum sandbox. */
+	tzset();
+
+	/* Cache /etc/security/audit_event. */
+	(void)getauevent();
+
+	cap_rights_init(&rights, CAP_FSTAT, CAP_WRITE);
+	if (cap_rights_limit(STDOUT_FILENO, &rights) < 0 && errno != ENOSYS)
+		err(1, "unable to limit rights for stdout");
+	if (cap_rights_limit(STDERR_FILENO, &rights) < 0 && errno != ENOSYS)
+		err(1, "unable to limit rights for stderr");
+
 	/* For each of the files passed as arguments dump the contents. */
+	cap_rights_init(&rights, CAP_FSTAT, CAP_READ);
 	if (optind == argc) {
+		if (cap_rights_limit(fileno(stdin), &rights) < 0 &&
+		    errno != ENOSYS)
+			err(1, "unable to limit rights for stdin");
+		if (cap_enter() < 0 && errno != ENOSYS)
+			err(1, "unable to enter capability mode");
+
 		print_tokens(stdin);
 		return (1);
 	}
 	for (i = optind; i < argc; i++) {
 		fp = fopen(argv[i], "r");
-		if ((fp == NULL) || (print_tokens(fp) == -1))
+		if (fp == NULL)
+			perror(argv[i]);
+		if (cap_rights_limit(fileno(fp), &rights) < 0 &&
+		    errno != ENOSYS)
+			err(1, "unable to limit rights for %s", argv[i]);
+
+		/* Enter Capsicum sandbox for the last file. */
+		if (i + 1 == argc) {
+			if (cap_enter() < 0 && errno != ENOSYS)
+				err(1, "unable to enter capability mode");
+		}
+
+		if (print_tokens(fp) == -1)
 			perror(argv[i]);
-		if (fp != NULL)
-			fclose(fp);
+		fclose(fp);
 	}
 
 	if (oflags & AU_OFLAG_XML)