Re: [RFC][PATCH] (#6) filesystem auditing

Ok, why doesn't the following trigger any audit messages: # ./auditctl -w /etc/shadow AUDIT_WATCH : INSERT : SUCCESS $ passwd Changing password for user sds. Changing password for sds (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. /etc/shadow was re-created by this transaction. I did see debugging messages about pushing and popping data on the cache stack. -- Stephen Smalley <sds(a)tycho.nsa.gov&gt; National Security Agency