Hi, I've just released a new version of the audit daemon. It can be downloaded from http://people.redhat.com/sgrubb/audit It will also be in rawhide soon. The Changelog is: - Don't error out in auditd when calling setsid - Reformat a couple auditd error messages (Oden Eriksson) - If log rotate fails, leave the old log writable - Fixed bug in setting up auditd event loop when listening - Warn if on biarch machine and auditctl rules show a syscall mismatch - Audisp-remote was not parsing some config options correctly - In auparse, check for single key in addition to virtual keys - When auditd shuts down, send AUDIT_RMW_TYPE_ENDING messages to clients - Updated sample plugin code to use auparse - Created reconnect option to remote ending setting of audisp-remote This is mostly a bugfix release. When being started by init, auditd was dying when trying to set its session id since init already does this. When logs were rotated and failed for some reason, the original log was left in a readonly state, this has been corrected. I found several problems with remote logging and fixed them for the non-kerberos use case...I'll try to check the work for kerberos in the next release. And the sample audispd plugin code was updated to show how to use auparse library to make a plugin. That leaves one item left to go over. People have discovered over time that 32 and 64 bit syscalls can have a different syscall number. Auditctl in this version no issues a warning to stderr when it loads a syscall audit rules for 64 bit machines where the 32 bit version has a syscall number mismatch. Hopefully, this will help educate people that they may not have all the syscalls they intended covered. But at the same time, some people might just consider this spamming the console. I would like feedback on this new warning and if its obtrusive and how you would suggest making it better. Please let me know if you run across any problems with this release. -Steve