On Wednesday 01 October 2008 15:58:44 Starr-Renee Corbin wrote: This is hardwired into the pam_talley2 code. As long as its in your login config and audit is enabled, you should get it. In RHEL4, you can get accesses to /etc/shadow via watches, but not just the denied because of permission. aureport --file --failed would find them for you. You can also get all opens that failed due to permission denied. This would include more than /etc/shadow, though. RHEL5 and current upstream kernels do not have this limitation and can record the permission denied access to security relevant files. -Steve