dev information for open, exec?

Hi, the dev= field of auditd information seems to be missing for open, exec syscalls. Is there a reason why this information is not available? (I'd like to filter out all open calls on /proc...) The log lines i get look like the following: type=KERNEL msg=audit(1109035917.261:14548): item=0 name=/usr/share/locale/de/LC_MESSAGES/coreutils.mo inode=852010 dev=00:00 and the dev=00:00 value is bogus; I never get a different value. I'm currently trying to use auditd to obtain an optimized "readahead" file list for speeding up system boot. I had this idea some months ago; maybe I should check recent boot speedup developments... ;-) Greetings, Erich Schubert -- erich(a)(mucl.de|debian.org) -- GPG Key ID: 4B3A135C (o_ To understand recursion you first need to understand recursion. //\ Wo befreundete Wege zusammenlaufen, da sieht die ganze Welt für V_/_ eine Stunde wie eine Heimat aus. --- Herrmann Hesse