Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Add definitions for crypto events - Fix regression where msgtype couldn't be used as a range in audit rules - In libaudit, extend time spent checking reply - In acct events, prefer id over acct if given - In aulast, try id and acct in USER_LOGIN events - When in immutable mode, have auditctl tell user instead of sending rules - Add option to sysconfig to disable audit system on auditd stop - Add tcp_wrappers config option to auditd - Aulastlog can now take input from stdin - Update libaudit python bindings to throw exceptions on error - Adjust formatting of TTY data in libauparse to be like ausearch/report - Add more key mappings to TTY interpretations - Add internal queue to audisp-remote - Fix failure action code to allow executables in audisp-remote (Chu Li) - Fix memory leak when NOLOG log_format option given to auditd - Quieten some of the reconnect text being sent to syslog in audisp-remote - Apply some libev fixups to auditd - Cleanup shutdown sequence of auditd - Allow auditd log rotation via SIGUSR1 when NOLOG log format option given This is mostly a bugfix release. There was a regression introduced into auditctl where the msgtype field was no longer able to be used for a range of audit records. There was also a bug where a heavily loaded system or one not getting much runtime due to virtualization would not get a netlink reply (EAGAIN) and this caused pamified services to not work. Now in immutable mode, auditctl will output something to stderr to let you know that you can't change the audit rules. The init scripts now have a new option to configure in /etc/sysconfig/audit that determines whether or not to leave the audit system enabled during shutdown. In the remote logging category, there is a new option to auditd to enable/disable tcp_wrappers at runtime. An internal queue was added to the remote logger so that if the remote server goes down, events will be queued in memory in hopes of being able to transfer them when the connection is re-established. Failure action in the remote loggers now accept paths to executables. When the NOLOG option is given, a memory has been fixed. Further review of NOLOG found that sigusr1 commands were not having any effect when NOLOG option was given. On the TTY audit front, libauparse was updated to match the output of ausearch and new keystroke mappings were added. Please let me know if you run across any problems with this release. -Steve