On Tuesday 23 September 2008 12:18:27 Fulda, Paul (Space Technology) wrote: The "watch" style commands will not work. The audit system works at the syscall level. So, under the hood, the audit system will place a rule on execve, or open on your behalf. Neither of these are the actual syscall that fails. strace is your friend. I ran a command that would fail and see something like this: write(3, "strace: exec: Permission denied\n"..., 32strace: exec: Permission denied ) = 32 close(3) = 0 munmap(0x7f17fc707000, 4096) = 0 exit_group(1) So, we should be able to place a rule on exit_group. -a exit,always -S exit_group -F a0=1 -F auid>=500 But I'm really not sure this will give you good, quality results. You can experiment and see. But the audit system is at the syscall level and not the application level and that should always be taken into account. -Steve