Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Interpret ioctlcmd fields - Fix the permission of the audit logging directory - Fix timeout in autrace better - Add gitignore file to ignore generated files if using git (Richard Guy Briggs) - audit_log_user_comm_message now resolves comm if NULL is passed - Update syscall table - Fix multi-key support in auparse which was broke in tty escape bug fix - Add multi-key support for syscall rules This is a bug fix release. I didn't want to wait too long after the directory permission problem was discovered, but I did want to give a little time in case there was anything else discovered. The main issue fixed in this release is the audit log directory permissions. If a group was given for log_group in auditd.conf, the audit daemon gave write permissions on the directory to the group. This appears to have started in the 2.6.1 release. The autrace program was timing out too quickly waiting to check rules. It now uses the select syscall to wait on rules. The multi-key support that was added for IDS purposes with prelude was found to have been broken by the tty escape bug fix. In troubleshooting that, I found that it was not supported on the "new style" audit rules. So, that has been fixed so that you can put multiple keys on syscall rules. Multiple key support was fixed, but to do it right meant that the filed type had to change from AUPARSE_TYPE_ESCAPED to AUPARSE_TYPE_ESCAPED_KEY. Please let me know if you run across any problems with this release. -Steve