Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Fix python3 byte compile for libaudit bindings - Add "boot" keyword to time parameters of ausearch/aureport - In auparse normalizer, add memory object kind - In auparse normalizer, handle a couple more file related syscalls - In auparse normalizer, find the object for AVC's - In ausearch/auparse mark KERNEL event as 1 record event - Bump up the default value of the audispd q_depth setting to 250 - In auparse, allow '-' in field names for ausearch_add_expression() - In auparse normalize, break change-file-attribute to permission and ownership - Add python bindings for auparse normalizer - Fix aureport's file report to not pick the parent path record in reports - Document auparse normalize accessor functions with a man page - In auparse normalizer, handle scheduler syscalls - In auparse normalizer, find path record for file syscalls without cwd record - Update the syscall table to the 4.11 kernel - Fix auvirt time keywords to work properly (#1367703) - In auditd, if any action is exec, close and reopen the logging descriptor This is a big release in terms of the number of updates made during the development cycle. Most of the items listed above are to round out the normalizer support as I tested different kinds of records. There are now python bindings for the auparse normalizer. Ausearch/report have a new time keyword, boot, which will use all events since the last boot. The libaudit syscall tables were updated for the new syscalls in the 4.11 linux kernel. It was discovered that in the event that there are multiple path records, aureport was outputting the first one in the file report which was most likely a directory. Now it will choose the first non-parent record and output it. The default q_depth setting for audispd was bumped up a little to prevent dropping events during bursts of activity. And in auditd, if you specify an exec action item, auditd will now close the logging descriptor so that the called program can do anything it wants to the audit files. The called script/program must send SIGUSR2 to auditd to resume logging. (This has always been the case and is not new.) When auditd sees SIGUSR2, it will resume logging by re-opening the old file or create new audit.log file as needed. This is the first release off of the github repo. There is a release listed on the project page. Its a raw release that has not been processed by automake/ autoconf. I will probably change the naming convention to distinguish raw github tar balls vs processed and ready to use tar balls. Please let me know if you run across any problems with this release. -Steve