Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit. It will also be in rawhide soon. The ChangeLog is: - Rearrange auditd setting enabled and pid to avoid a race (#910568) - Interpret the ocomm field from OBJ_PID records - Fix missing 'then' statement in sysvinit script - Switch ausearch to use libauparse for interpretting fields - In libauparse, interpret prctl arg0, sched_setscheduler arg1 - In auparse, check source_list isn't NULL when opening next file (Liequan Che) - In libauparse, interpret send* flags argument - In libauparse, interpret level and name options for set/getsockopt - In ausearch/report, don't flush events until last file (Burn Alting) - Don't use systemctl to stop the audit daemon The main feature in this release is switching ausearch over to the auparse library for interpretations. This allows for better interpretation of syscall arguments and since the output is visible, auparse's interpretations have been aligned with the old ausearch output. There is one item to note, though, for systemd based machines. The way that systemctl works when a user asks it to stop the audit daemon is that it sends a dbus message to systemd. Systemd then sends a sigterm signal to auditd. Auditd then asks the kernel who sent it because we must record that for common criteria. Under systemd we get -1, which is unset, for the auid. This scenario differs from the sysvinit style where you run the service command and the auid of the admin is recorded because a process in the admin's context sends the signal. This update adds a configuration option where systemd is told to refuse to send a stop signal by the admin. Instead, a script was added to the service command's legacy support area. The audit daemon should be controlled by the service command just like before systemd. Please let me know if you run across any problems with this release. -Steve