Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - In auditd, flush uid/gid caches when user/group added/deleted/modified - Fixed various issues when dealing with corrupted logs - In auditd, check if log_file is valid before closing handle I usually do not make a release this quick after doing one. But there was an issue (209) reported on github that I think merits an immediate release. The issue is that if you create, delete, and create a new user with a new name, auditd may have stale cache entries for the older user. If you use the enriched format (default setting), then this old association can get added to the record. That can cause ausearch to report actions attributed to the old user name. Normally people don't delete and create users quickly. By design, the cache is only 19 entries long and flushes the least recently used. Please test audit-3.0.5 carefully - 3.0.4 had big changes. SHA256: 7c54e73a6cafc8154ee6e37971efb1c8dd9ac2361daec429a52a7538c24fdc70 Please let me know if you run across any problems with this release. -Steve