Hi all, I've been struggling lately to find a way to use the audit functionality in any meaningful way while using jails. My original idea was running auditd on the host, and thus get audit data for all the jails - however this proves impractical as identifying, for instance, the path of an executable inside a jail is impossible (it shows as //usr/bin/something in the logs). I have also failed to run auditd inside the jails, and doing so would somehow reduce its value - as the idea is to lock down the host and audit from there. I see there is a SOC project to make audit jail-aware, but I'm sure I've missed something in the current implementation (7.1) as well. Could anyone share their experiences on this with me - or am I on the wrong track entirely? Thanks, /Eirik