Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Fix path processing in AVC records. - auparse_find_field_next() wasn't resetting field ptr going to next record. - auparse_find_field() wasn't checking current field before iterating - cleanup some string handling in audisp-prelude plugin - Update auditctl man page - Fix output of keys in ausearch interpretted mode - Fix ausearch/report --start now to not be reset to midnight - Added auparse_goto_record_num function - Prelude plugin now uses auparse_goto_record_num to avoid skipping a record - audispd now has a priority boost config option - Look for laddr in avcs reported via prelude - Detect page 0 mmaps and alert via prelude This is mostly a bug fix release. The prelude work has been showing a few problems in libauparse. They are cleaned up now. The string handling in the prelude plugin was not as robust as it could have been. That's now working better. The auparse library got a new function. You can now seek to a specific record in addition to just iterating to them. This was needed because the analysis part of the prelude plugin could sometimes cause part of an event to not be examined for a particular problem. It also turns out that we are starting to have some issues where the audit event dispatcher is not getting enough time slices to handle all the events that it needs to. The solution was to add another config option where it can get a priority boost above the audit daemon's so that it can keep things empty. The default boost for the audit daemon was increased also. I also added detection of page 0 mmaps via SE Linux AVCs to the prelude plugin. Please let me know if you run across any problems with this release. -Steve