Hello, I just wanted to confirm for my memory that if I wanted to confirm that the auditd process running on my system was configured correctly and intended to be *immutable (*setting *-e 2*) I would do so easily by executing: *auditctl -s* When I execute that command I get back in the results that have: *enabled 1* *loginuid_immutable 0 unlocked* *among a few other lines.* Shouldn't I actually see *enabled 2*? I have in one of our .rules files under /etc/audit/rules.d/ the syntax "-e 2". Thanks, -------------------------- Warron French