MINOR: It appears that there needs to be a space between the "key=xxx" and "list=N" results from "ausearch -i -ts today": ... type=CONFIG_CHANGE msg=audit(05/08/2008 10:34:57.259:151) : auid=unset subj=system_u:system_r:auditctl_t:s0-s15:c0.c1023 op=add rule key=CFG key=postfixlist=4 res=1 ... I'm sure this one is on startup when the audit.rules file is parsed and the auditctls all happen. And what does the "list=N" part represent? Would it be the following (i.e. exit): #define AUDIT_FILTER_EXIT 0x04 /* Apply rule at syscall exit */ Thx, LCB. -- LC (Lenny) Bruzenak lenny(a)magitekltd.com