On Wednesday 03 December 2008 05:23:28 Loredan Stancu wrote: Might also be helpful to know which distribution and release, IOW Fedora 10? Do you find USER_LOGIN events? ausearch --start today -m USER_LOGIN Without that, you won't see anything. For which event? The loginuid is mostly what I concentrated on since that tells you how they got into the machine. You need 2 rules to cover this: auditctl -a exit,always -S fchmodat -F dir=/home -F 'a2&0111' -F filetype=file -k ids-mkexe-hi auditctl -a exit,always -S fchmod,chmod -F dir=/home -F 'a1&0111' -F filetype=file -k ids-mkexe-hi It works fine on my system. Also note that it depends on having a recent kernel. Assuming you are using Fedora, to set this up on client machines, you will need to install the audispd-plugins package. Then you need to set the remote_server and port in the /etc/audisp/audisp-remote.conf file. The server that aggregates the logs does not need the plugins package installed. It should have the tcp_listen_port set to the same port as the clients in the /etc/audit/auditd.conf file. Then semanage needs to have the same port in its database since the audit daemon is protected by SE Linux. Assuming that you wanted the audit daemon listening on port 1000, you would run: semanage port -a -t audit_port_t -p tcp 1000. The last step is to edit the /etc/hosts.allow file to configure tcp_wrappers to allow the machines or subnets that the daemon should allow connections from. -Steve