In our system we need to supply some specialized plugins to, for example evolution, which will be doing things that we desire to audit. However, we don't want to assign CAP_AUDIT_WRITE to evolution. I have an approach on which I wanted to get some feedback. I would create a library call and matching executable audit proxy. I'd give CAP_AUDIT_WRITE to the proxy. Then, the library call would fork/exec the audit proxy child, create a socket pair, and give each side their half of the pair. The sockets would persist until an explicit close (another library call, so that it told the proxy client to shut down through the socket interface) happened, so subsequent audits could use the interface. Also the child proxy would exit on socket close, etc. I can include the parent PID in the audit info. So if anyone has already done this or there is some reason for not choosing this path I'd appreciate comments. Thx, Lenny Bruzenak. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com