diff --git a/.etckeeper b/.etckeeper
index 61e1996..b0fb737 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -4801,6 +4801,7 @@ maybe chmod 0644 'rspamd/worker-proxy.inc'
 maybe chmod 0644 'rsyslog.conf'
 maybe chmod 0755 'rsyslog.d'
 maybe chmod 0640 'rsyslog.d/00-backup.conf'
+maybe chmod 0640 'rsyslog.d/filecreatemode.conf'
 maybe chmod 0644 'rsyslog.d/ignore-systemd-session-slice.conf'
 maybe chown 'rundeck' 'rundeck'
 maybe chgrp 'rundeck' 'rundeck'
diff --git a/audit/auditd.conf b/audit/auditd.conf
index 04da87d..df854d6 100644
--- a/audit/auditd.conf
+++ b/audit/auditd.conf
@@ -14,7 +14,7 @@ num_logs = 5
 priority_boost = 4
 name_format = NONE
 ##name = mydomain
-max_log_file_action = ROTATE
+max_log_file_action = keep_logs
 space_left = 75
 space_left_action = SYSLOG
 verify_email = yes
diff --git a/pam.d/su b/pam.d/su
index 0fa9008..59e9446 100644
--- a/pam.d/su
+++ b/pam.d/su
@@ -4,7 +4,7 @@ auth		sufficient	pam_rootok.so
 # Uncomment the following line to implicitly trust users in the "wheel" group.
 #auth		sufficient	pam_wheel.so trust use_uid
 # Uncomment the following line to require a user to be in the "wheel" group.
-#auth		required	pam_wheel.so use_uid
+auth		required	pam_wheel.so use_uid
 auth		substack	system-auth
 auth		include		postlogin
 account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
diff --git a/rsyslog.d/filecreatemode.conf b/rsyslog.d/filecreatemode.conf
new file mode 100644
index 0000000..c49a68d
--- /dev/null
+++ b/rsyslog.d/filecreatemode.conf
@@ -0,0 +1,2 @@
+$FileCreateMode 0640
+
diff --git a/selinux/targeted/.policy.sha512 b/selinux/targeted/.policy.sha512
index 42fed18..809538f 100644
--- a/selinux/targeted/.policy.sha512
+++ b/selinux/targeted/.policy.sha512
@@ -1 +1 @@
-19436b134dd04ff9a79126cc9b81607af76cea01207a21ff70c52f05f89bc2002be6545c82d1d10fed1eeebc8b5da846424bad9b9723709e47fbfb791a06f405
+921b542b63eabe1241302746aceb49f5711ae2b73e87cdfff5fce3cea66dea8c14ccc59e99fa213d669cf78805c8671e5aee45aa1e02f9e97574d788fa05da90
diff --git a/selinux/targeted/policy/policy.31 b/selinux/targeted/policy/policy.31
index b7bae91..5b44fa0 100644
Binary files a/selinux/targeted/policy/policy.31 and b/selinux/targeted/policy/policy.31 differ