File system audit loses watches

Hi, [root@endeavor ~]# auditctl -w /media/cdrecorder/eula.txt -k test -p wrea No rules AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test, perms=rwea, valid=0 [root@endeavor ~]# auditctl -l No rules AUDIT_WATCH_LIST: dev=22:64, path=/media/cdrecorder/eula.txt, filterkey=test, perms=rwea, valid=0 [root@endeavor ~]# eject [root@endeavor ~]# auditctl -l No rules No watches Looking through the audit logs, the is one CONFIG_CHANGE record with watch insert. No records with watch remove. The removal of a rule is a config change and should have a corresponding audit event. But...rules should never be lost unless they are explicitly deleted by the admin should they? -Steve