Hello, The following two patches augment the collection of inode info during syscall processing. They represent part of the functionality that was provided by the auditfs patch included in RHEL4. Specifically, they: - Collect information for target inodes created or removed during syscalls. Previous code only collects information for the target inode's parent. - Add the audit_inode() hook to syscalls that operate on a file descriptor (e.g. fchown), enabling audit to do inode filtering for these calls. - Modify filtering code to check audit context for either an inode # or a parent inode # matching a given rule. - Modify logging to provide inode # for both parent and child. - Protect debug info from NULL audit_names.name. Please let me know if you have any comments. I'll note a concern of my own in a following email. I've done a fair amount of testing with these patches, and think it would be good if we could start providing a test kernel for filesystem auditing patches. I think this should be separate from an audit-lspp test kernel. I based these patches off David's git tree, although the patch against fsnotify should really be sent to the Inotify developers. Any thoughts on where these patches should live? Could we have multiple branches in David's audit git tree? Thanks, Amy