Hello, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Do capabilities check rather than uid - Auditd fixup directory and file permissions on startup - Add some missing config items to auditd reconfigure - In audisp-remote add warn_once and warn_once_continue action handlers - In audisp-remote only emit 1 warning when disk_full or error is reached. - Aulast now searches on user name as a string for enriched events - Ausearch now searches on user name as a string for enriched events - Create audit-stop.rules to clean up audit subsystem on stop - Adjust LDFLAGS for cross compiled helper utilities (Laurent Bigonville) - Fix event formatting issue in audispd - Fix bug causing ack to not be sent from auditd to audisp-remote This release follows the last one quickly because its a bugfix release. The last release had a lot of code churn and debug and testing was not 100% complete. The biggest issue was that during the creation of the protocol 2 format handler in auditspd, some newlines got stripped from the formatting. This caused problems for any protocol 1 events. The likely effect is audispd plugins not working correctly. There was also a bug in auditd due to refactoring the code to retry sending events to the dispatcher. The effect of the bug was to zero out the ack function when receiving remote events. This caused audisp-remote to retry sending the event over and over because it timed out thinking the server was have comm problems. It was also pointed out that some people don't want audit events of any kind going to syslog when the audit daemon was stopped. This update adds a new file, audit-stop.rules, which gets loaded when the audit daemon stops. The current rules disables the audit subsystem and deletes all rules. The conversion to enriched events was not complete in 2.6. The ausearch and aulast program needed to use the user name as a string to search for events. audisp-remote was reworked to only emit 1 warning when disk_full or error is reached. New config options were added to help accomplish this. There is now warn_once and warn_once_continue options for failures. It acts like the syslog option except it only sends one. Read the man page for more details. It was also found that not all config options were being loaded when the audit daemon received SIGHUP. The audit daemon will now fix logging directory ownership and mode during restart or config reload. This will help everyone who sets the log access group because it will restore the config after an upgrade. Almost every place that uid was checked for root has been updated to do a capability check instead. Please let me know if you run across any problems with this release. -Steve