Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Fix parsing of EXECVE records to not escape argc field - If auditd's disk is full, send the right reason to client (#715315) - Add CAP_WAKE_ALARM to interpretations - Some updates to audisp-remote's remote-fgets function (Mirek Trmac) - Add detection of TTY events to audisp-prelude (Matteo Sessa) - Updated syscall tables for the 3.0 kernel - Update linker flags for better relro support - Make default size of logs bigger (#727310) - Extract obj from NETFILTER_PKT events - Disable 2 kerberos config options in audisp-remote.conf This update is mostly parser and remote logging fixes. The syscall table was also updated for the 3.0 kernel and the resulting files were hardened further with gcc linker flags. Please let me know if you run across any problems with this release. -Steve