One of the CAPP requirements and probably the LSPP as well is when audit records cannot be generated, for a particular process, the process need to be halted. the current audit system, depending on the failure flag can either, 1) do nothing 2) print a kernel message or 3) issue a panic. I am thinking of adding a 4) option for the failure flag to suspend the process. If the failure flag is set to "suspend" and the audit_log_lost function is called the process will be suspended by issuing a sigsuspend call. I am soliciting comments to see if I proceed with this or not. Thanks, Mounir Mounir Bsaibes Linux Security Tel: (512) 838-1301 Cell: (512) 762-9957 Fax: (512) 838-8858 e-mail: bsaibes(a)us.ibm.com