Hello, I was doing some testing and found that user space messages are sent without checking the audit_enabled flag: [root@endeavor ~]# auditctl -e 0 AUDIT_STATUS: enabled=0 flag=1 pid=1701 rate_limit=0 backlog_limit=1024 lost=0 backlog=0 [root@endeavor ~]# auditctl -m "This is a test" [root@endeavor ~]# ausearch -m USER ---- time->Tue Jun 14 10:48:43 2005 type=USER msg=audit(1118760523.312:13408080): user pid=24223 uid=0 auid=4294967295 msg='This is a test' The following patch fixes it: diff -ur linux-2.6.9.orig/kernel/audit.c linux-2.6.9/kernel/audit.c --- linux-2.6.9.orig/kernel/audit.c 2005-06-14 10:50:16.000000000 -0400 +++ linux-2.6.9/kernel/audit.c 2005-06-14 10:53:05.000000000 -0400 @@ -444,6 +444,8 @@ break; case AUDIT_USER: case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG: + if (!audit_enabled) + break; ab = audit_log_start(NULL, msg_type); if (!ab) break; /* audit_panic has been called */ Signed-off-by: Steve Grubb <sgrubb(a)redhat.com&gt;