Hello, We just released a new version of the audit daemon. It can be downloaded from https://github.com/linux-audit/audit-userspace/releases/ The ChangeLog is: - Rework audisp queue to be lockless - Fix missing delete command in auditctl - Allow plus addresses (rfc5233) to auditd email. - Reduce memory churn in auditd event dispatching - Add configurable recurring state report in auditd - Switch audisp-statsd to stop sending signals - Add glibc memory stats to audisp-statsd The main point of this release is to restore the missing functionality in auditctl. But this was kind of unplanned. There are some big changes in the plugins area that I wanted to highlight. The dispatcher queue is now lockless. This should let auditd get back to processing new events faster. It also removed one malloc/free in the dispatcher path. This should lower memory churn for auditd and allow somewhat faster dispatching. (The next release will continue this work in the plugins to make them even faster.) The other items to mention is auditd's email can now support plus addresses (rfc5233). And the last item is the new glibc metrics have been added to the statsd plugin. Also to note, auditd now has a configurable timer that can trigger the publishing of the state report to /var/run/auditd.state. The statsd plugin reads this, but if you have any kind of metrics collection system, you can also point it to this file. f you notice any problems with this release, please let us know. SHA256: 76159def49df28f50353976bed52801af6039a15bd691e3bb216cb2dcaa78d86 -Steve