Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Fix uninitialized variable in aureport causing segfault - Quieten down the gssapi not supported messages - Fix bug interpreting i386 logs on x86_64 machines - If kernel is in immutable mode, auditd should not send enable command - Fix ausearch/report recent and now time keyword lookups - If hostname is empty string when logging, make it NULL - Starting adding unit tests to src/test - Created aulast program - prelude plugin should pull auid for login alert from 2nd uid field - Add system boot, shutdown, and run level change events - Update audisp-prelude LDFLAGS - Add max_restarts to audispd.conf to limit times a plugin is restarted - Expand session detection in ausearch This is mostly a bug fix release. Most of those should be self explanatory from the description. This release also adds a new analytical tool, aulast. This is a re-implementation of the "last" and "lastb" programs based off of audit logs. the output is identical in format with those utmp based programs. To get the analysis to work correctly, I needed to introduce 3 new types: SYSTEM_BOOT, SYSTEM_SHUTDOWN, and SYSTEM_RUNLEVEL. I had to patch upstart to send the appropriate events, too. The patch against upstart 0.3.9 is here: http://people.redhat.com/sgrubb/files/upstart/upstart-0.3.9-audit.patch I will be porting the patch to 0.5 shortly and will post that patch to the same directory for anyone that needs it. Because this is based off of audit logs and we may need to debug the analysis, I added a --proof and --extract option. The --proof option lists the audit event serial numbers that were used to determine the final state of the login/logout. This will let you go back and look at them in more detail if needed. The --extract option will output a condensed raw audit log to aulast.log in the current working directory that has the events used in creating the report. Right now, aulast is not "node" aware. But if you have aggregated logs and want to use the program, you can pipe it with ausearch. Something like: ausearch --start today --node test.machine --raw | aulast --stdin Aulast also requires that the kernel support the session identifier in the user space originating audit records. I believe that means you need to be running kernel 2.6.25 or newer or have those patches backported. Please let me know if you run across any problems with this release. -Steve