How to capture mount event in /var/log/audit/audit.log

Hi Linda Thanks for the response, $ strace mount shows a few lines plus the following: open("/etc/mtab", O_RDWR|O_CREAT|O_LARGEFILE, 0644) = -1 EACCES (Permission denied) Then the root window that has tail -f /var/log/audit/audit.log does capture unsuccessful mount with exit=-13 I need /var/log/audit/audit.log to be able to capture the mount event automatically without strace intervention. Betty ---------- Forwarded message ---------- From: Betty Man <man.bty(a)gmail.com&gt; Date: Fri, Jul 6, 2012 at 10:53 PM Subject: capture mount event in /var/log/audit/audit.log To: linux-audit(a)redhat.com Hi Everyone, in RHEL 5.5 kernel 2.6.18-194.el5 audit-1.7.17-3.el5 Have the following in the /etc/audit/audit.rules ## non-privilege users using mount command. -a exit,always -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k export -a exit,always -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export from a general user account $ mount /dev/hdc /dev/cdrom mount: only root can do that but /var/log/audit/audit.log does not capture this event Any input is much appreciated! Thanks in advance Betty