Logging failed open() calls on /var/log/audit/audit.log

Howdy folks - I'm running audit-1.2.2 with the latest audit-current git tree (lspp.b20)... The filesystem auditing seems to be working fine for all files *except* the audit.log file. For example, I do this: auditctl -w /etc/shadow auditctl -w /var/log/audit/audit.log The audit daemon generates audit events for both successful and failed open() calls to /etc/shadow, but only records *successful* accesses to /var/log/audit/audit.log. So if I attempt to access /etc/shadow as a regular user, a "success=no" audit event is generated to indicate read failure - but if a regular user attempts to read /var/log/audit/audit.log, nothing happens (no audit event whatsoever is created). *Successful* reads of /var/log/audit/audit.log (ie: as super-user) do indeed generate the appropriate audit event in audit.log ("success=yes"). Is this the way the audit daemon is supposed to work? (some kind of race condition if the audit daemon fully audits its own audit trail?) (this question may seem unusual, but we're trying to audit "unsuccessful attempts to access security-relevant objects"... the audit trail itself constitutes a "security-relevant object"). Thanks again! ----------------------------------------------------------- Robert Giles Group System Administrator SPD/ARL:UT (512) 835-3077 � Fax (512) 490-4244