Hi, folks. I'm working on getting Audit working on Fedora Core 5, using the latest assembly of RPMS from Fedora: audit-libs-1.1.5-1 audit-libs-devel-1.1.5-1 audit-libs-python-1.1.5-1 audit-1.1.5-1 and I'm having quite a few problems with it. It appears that, contrary to the man pages in the audit RPM, file watches are not supported. Likewise, many of the example rules in /usr/share/doc/audit-1.1.5/sample.rules, such as # Auditing failed opens -a entry,always -S open -F success!=0 seem to be out of step with the actual rules supported by /sbin/auditctl and/or the kernel. (I get the sensible 'Field success cannot be checked at syscall entry' message). Now, I understand from the Audit System FAQ at http://people.redhat.com/sgrubb/audit/ that file watches in the kernel are being refactored to use inotify, so I presume that explains why auditctl tells me that 'File system watches not supported' when I run 'auditctl -L', and why it gives me a vaguer complaint when I actually try to run 'auditctl -w'. My questions are these: Would the latest FC5 kernels support inotify-based file watches with a more recent version of the Audit user tools? Is there any up-to-date documentation that would serve me better than that in the /usr/share/doc/audit-1.1.5 directory on FC5? I don't see any on Steve Grubb's Audit page. Thanks, Jon -- ------------------------------------------------------------------------------- Jonathan Abbey jonabbey(a)arlut.utexas.edu Applied Research Laboratories The University of Texas at Austin GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg