Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Dont interpret audit netlink groups unless AUDIT_NLGRP_MAX is defined - Add support for AUDIT_RESP_ORIGIN_UNBLOCK_TIMED to ids - Change auparse_feed_has_data in auparse to include incomplete events - Auditd, stop linking against -lrt - Add ProtectHome and RestrictRealtime to auditd.service - In auditd, read up to 3 netlink packets in a row - In auditd, do not validate path to plugin unless active - In auparse, only emit config errors when AUPARSE_DEBUG env variable exists The main change in this release is that auditd pulls events out of the kernel at a faster rate. It was so much so, that the plugins can't keep up. So, I throttled it down a little to give plugin developers a chance to see events at a higher rate and make changes. I will be doubling the speed on the next release. So, now would be the time to check 3rd party plugins and ensure they are dequeuing events as fast as possible. If the plugin has a lot of post processing, I'd suggest making it multithreaded with a fifo inbetween the threads. One pulls events aqueues them, the other dequeues and post processes. Also notable, the bahavior of auparse_feed_has_data in auparse was changed to include incomplete events. This is in effort to speed up processing of events. One other thing that may cause problems if you build and debug plugins is the auditd.service systemd file now adds ProtectHome and RestrictRealtime. The ProtectHome will not let auditd touch anything under /home. That may be an incovenice for debugging. But its better for everyone else. SHA256: 23777e1dc9a80a2ee06a4d442a6a0a9bcbf1ae7ee4b5738a220ff619738cc904 Please let me know if you run across any problems with this release. -Steve