Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Improve input error handling in audispd - Improve end of event detection in auparse library - Improve handling of abstract namespaces - Add test mode for prelude plugin - Handle user space avcs in prelude plugin - Audit event serial number now recorded in idmef alert - Add --just-one option to ausearch - Fix watched account login detection for some failed login attempts - Couple fixups in audit logging functions (Miloslav Trmac) - Add support for virtual keys - Added new type for user space MAC policy load events - auparse_find_field_next was not iterating correctly, fixed it - Add idmef alerts for access or execution of watched file - Fix buffer overflow in audit_log_user_command - Add basic remote logging plugin - only sends & no flow control - Update ausearch with interpret fixes from auparse This release has a lot of changes. There are a lot of bugs fixed in this update. Besides pure bug fixing, this release adds a test mode for the audisp-prelude plugin. It can now take a file input to stdin and output to stdout what it would like to do. The audisp-prelude plugin also has a big change in the configuration file. It now takes separate enablers and actions to decide if a certain detection should be run and what to do if something is found. Right now, the only action is to send an idmef event. But this allows for future actions that can protect the machine. IDMEF events were added for watched files or execution of watched programs. This requires a specific key format to work. Ausearch was given a new option, --just-one. This tells it to emit just one event during the search. This is handy if you are searching for a specific event by its serial number and time. Virtual key support was added throughout the utilities and libraries. With it, admins can now express more than one key in an auditctl rule. The size limit was left at 32, but we'll bump it up when kernel 2.6.26 is starting to take patches. A buffer overflow in audit_log_user_command was fixed. This was preventing sudo from running when it had a large number of arguments. For now, we are truncating the event's argument list. But I'll try to work something out around continuation records so that it can be fully pieced together. Lastly, a remote logging plugin makes its debut. Right now it sends only and has no flow control. I made a quick and dirty program that runs off of xinetd that just appends records to a file to verify it working. Anyone that wants to use it will need to do nearly the same at this point. The next release will include a recieve capability with no flow control. And then in another release after that I'll add the flow control between sender and receiver. Please let me know if you run across any problems with this release. -Steve