Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Remove LSB headers info for init scripts - Re-fix buffer overflow in audit_log_user_command (#438840) - Fix memory leak in EOE code in auditd (#440075) - In auditctl, don't use new operators in legacy rule format - Made a couple corrections in alpha & x86_64 syscall tables (Miloslav Trmac) - Add example STIG rules file - Add string table lookup performance improvement patch (Miloslav Trmac) - auparse_find_field_next performance improvement The overflow fix in 1.7 for audit_log_user_command was incomplete. this release should have it nailed. A memory leak was found on EOE records in the audit daemon. You only get EOE records from the 2.6.25 kernel which is not released. Anyone that will be running 2.6.25 should update to this release to avoid problems. It was also found that rules having '>=' were getting translated to '!=' when listed back out. The fix is to use the new (2.6.16 and later) rule format for more cases. We should start migrating off the old rule format since 2.6.15 and lower kernels are not likely to be running the current audit package. The release also has some improvements in performance. The lookup tables in libaudit and auparse were converted over to bsearch from brute force iterating. This improves lookups by anywhere from 5% to 5000% depending on the table size and element's placement in that table. The external API has not changed for this. Also the auparse_find_field_next function in libauparse was iterating a few times more than necessary whenever a search item missed in the current record. This release also contains a sample implementation of the Linux STIG rules. Please let me know if you run across any problems with this release. -Steve