The kernel ignores auditable events from the audit daemon, but is there an 'approved' way to achieve the same for dispatchers? The problem is the same, in that you get an infinite loop if the dispatcher itself performs any action which generates an audit record. Thanks, Matt -- Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490