We currently have RHEL5.1 WS  with audit-1.5.5-7el5 installed.  We need to create a watch for a file in /etc/init.d.  As usual, I created the watch with the following line in /etc/audit/audit.rules:

 

-w /etc/init.d/myfile -p warx -k CFG_MYFILE

 

After I bounced the auditd daemon, I tested an execute on this file and it never appeared in ausearch.  However, if I move myfile to anywhere else (i.e. /etc, /tmp, /export ...) making the appropriate path change to audit.rules, watch appears fine in ausearch. 

 

Since /etc/init.d is a link to /etc/rc.d/init.d, we suspected this could be the issue.  Consequently, I made the appropriate change to audit.rules (using the path of /etc/rc.d/init.d instead of /etc/init.d)  ... again bounced the auditd daemon ... and ausearch still did not show the access when I tested an execute on myfile.  I also thought maybe it was the '.' in init.d causing the issue.  Consequently, I created a test directory of /tmp/test.d -- copied mytest file to that directory -- created the watch -- watch was again successful.  It appears audit doesn't like something about /etc/init.d link and /etc/rc.d/init.d -- and I'm not sure what it could be.  As a side note, I attempted this test on Centos 5.4 and didn't have the same issue.