diff --git a/CMakeLists.txt b/CMakeLists.txt
index 923265171b..dfb0997d8c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -421,8 +421,8 @@ if (ENABLE_ASAN OR ENABLE_UBSAN)
 	add_compile_options(-fno-omit-frame-pointer)
 endif()
 
-# try to ensure some compiler sanity
-foreach (flag -fno-strict-overflow -fno-delete-null-pointer-checks)
+# try to ensure some compiler sanity and hardening options where supported
+foreach (flag -fno-strict-overflow -fno-delete-null-pointer-checks -fhardened)
 	check_c_compiler_flag(${flag} found)
 	if (found)
 		add_compile_options(${flag})
diff --git a/lib/fsm.cc b/lib/fsm.cc
index ec0303400c..63580c25ad 100644
--- a/lib/fsm.cc
+++ b/lib/fsm.cc
@@ -474,13 +474,15 @@ static void removeSBITS(int dirfd, const char *path)
     struct stat stb;
     int flags = AT_SYMLINK_NOFOLLOW;
     if (fstatat(dirfd, path, &stb, flags) == 0 && S_ISREG(stb.st_mode)) {
+	/* XXX TODO: actually check for the rc, but what to do there? */
+	int rc = 0;
 	/* We now know it's not a link so no need to worry about following */
 	if ((stb.st_mode & 06000) != 0) {
-	    (void) fchmodat(dirfd, path, stb.st_mode & 0777, 0);
+	    rc += fchmodat(dirfd, path, stb.st_mode & 0777, 0);
 	}
 #ifdef WITH_CAP
 	if (stb.st_mode & (S_IXUSR|S_IXGRP|S_IXOTH)) {
-	    (void) cap_set_fileat(dirfd, path, NULL);
+	    rc += cap_set_fileat(dirfd, path, NULL);
 	}
 #endif
     }
diff --git a/lib/keystore.cc b/lib/keystore.cc
index da4e12e289..a64ef07d6a 100644
--- a/lib/keystore.cc
+++ b/lib/keystore.cc
@@ -164,7 +164,7 @@ static int acquire_write_lock(rpmtxn txn)
 	goto exit;
     }
 
-    if ((fd = open(lockpath, O_WRONLY|O_CREAT)) == -1) {
+    if ((fd = open(lockpath, O_WRONLY|O_CREAT, 644)) == -1) {
 	rpmlog(RPMLOG_ERR, _("Can't create writelock for keyring at %s: %s\n"), keyringpath, strerror(errno));
     } else if (flock(fd, LOCK_EX|LOCK_NB)) {
 	rpmlog(RPMLOG_ERR, _("Can't acquire writelock for keyring at %s\n"), keyringpath);
diff --git a/plugins/audit.c b/plugins/audit.c
index a4309f729e..0bbbdb3cb3 100644
--- a/plugins/audit.c
+++ b/plugins/audit.c
@@ -1,8 +1,10 @@
 #include "system.h"
 
+#include <errno.h>
 #include <stdlib.h>
 #include <libaudit.h>
 
+#include <rpm/rpmlog.h>
 #include <rpm/rpmstring.h>
 #include <rpm/rpmts.h>
 #include <rpm/rpmplugin.h>
@@ -82,8 +84,16 @@ static rpmRC audit_tsm_post(rpmPlugin plugin, rpmts ts, int res)
 	    rasprintf(&eventTxt,
 		    "op=%s %s sw_type=rpm key_enforce=%u gpg_res=%u %s",
 		    op, nevra, enforce, verified, dir);
-	    audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE,
-				    eventTxt, NULL, NULL, NULL, NULL, result);
+
+	    if (audit_log_user_comm_message(auditFd, AUDIT_SOFTWARE_UPDATE,
+				eventTxt, NULL, NULL, NULL, NULL, result) <= 0)
+	    {
+		/* Filter out noise from containers and other novelties */
+		int ignore = (errno == ECONNREFUSED || errno == EPERM);
+		rpmlog(ignore ? RPMLOG_DEBUG : RPMLOG_WARNING,
+			_("logging an audit message failed: %s\n"),
+			strerror(errno));
+	    }
 	    free(nevra);
 	    free(eventTxt);
 	}
diff --git a/tests/Dockerfile.fedora b/tests/Dockerfile.fedora
index dc12be49ee..4fa82e1ca2 100644
--- a/tests/Dockerfile.fedora
+++ b/tests/Dockerfile.fedora
@@ -87,6 +87,7 @@ RUN chmod -R a-w .
 
 WORKDIR /srv/build
 ENV CFLAGS="-Og -g"
+ENV CXXFLAGS="-Og -g"
 RUN cmake \
 	-DENABLE_WERROR=ON \
 	-DENABLE_ASAN=ON \