New prelude sensor: Auditd
Steve Grubb from Red Hat wrote the prelude plugin for Auditd, the SELinux daemon which logs policies violations.
The plugin can currently detect and message: Apps that terminate abnormally (gcc stack overflow/glibc FORTIFY_SOURCE/plain old segfault), SE Linux AVCs, Logins, MAX failed login attempts reached, MAX concurrent sessions reached. This is all done in real-time and not based on a cron job. The audit daemon is capable of being run directly from init if you wanted to do it that way.
The package, installation instructions are available at:
http://people.redhat.com/sgrubb/audit/.
If you run fedora core 8, you can try it easily by running:
yum --enablerepo=updates-testing install audispd-plugins
To do testing on Fedora rawhide (which will become Fedora 9), you will need to put selinux in permissive mode, "setenforce 0".
More information available in Steve’s auditd+prelude HOWTO.