[ .... ]
What's the kernel in question?
Ubuntu 12.04's 3.2 and SteamOS 3.10.
audit hasn't used "inotify" in a long time. We now
use
"fsnotify".
Out of laziness I used 'inotify' to mean both; also at one point
I was looking at some 2.6.x sources as there seemed to be
relevant changes in some mailing list.
but in either case, the inodes aren't supposed to be able to
be kicked out of core...
But on 3 different system I have they really seem to be evicted,
and with regularity, and this does not happen if the inodes are
kept open.
From the source I have looked at, the *notify code seems to
attempt to hold on to the inodes that are watched, but perhaps
it has some hidden assumptions that the 'audit' module does not
satisfy.