Dear linux-audit people, I'm recently converted to Fedora3 from Slackware and I'm very new to this linux audit stuff, I really need help on this. I'm working on some user space audit logging stuff which does capture both netfilter's ulog and audit for my own project. First off, I tried auditd to understand how audit facility works in user space. But since there's lack of info, I have no idea how to use it first of all. I followed readme's example below: ===> Examples: General: Window 1: ./auditd Window 2 (you don't have to have the daemon running to try this, but enabled has to be 1): ./auditctl -s ./auditctl -a entry,always -S open ls ./auditctl -d entry,always -S open Identity tracking: ./auditctl -a exit,always -S all -F loginuid=2000 ./auditctl -L 2000,"test uid" <=== Nothing worked. The auditd stuck at pthread_cond_wait() call. Maybe I need some policy setting to make it work? I tried strict policy too but it was same though I got avc error that some of auditd's requests were rejected. I ran aduitd and auditctl under sysadm_r:sysadm_t. Am I missing something very important thing at first place? Please enlighten me how to use auditd and more info on linux audit facility, such as policy settings if required? Thank you, -- Junji Kanemaru Linuon Inc. Tokyo Japan