On Mon, 2014-04-21 at 11:35 -0700, lists_todd(a)mac.com wrote:
 
 On Apr 21, 2014, at 11:28 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
 
 > What happens is that the text path that you put in a watch is a
 > human 
 > convenience. The kernel doesn't understand strings, it understands
 > numbers. It 
 > changes the path into device and inode information.
 
 
 Cool. So I am guessing the rule works even if someone creates a hard
 link to the same watched path and access files through that other
 path? 
As I remember, and it's been a long time, watches should survive even if
the object being watched is deleted and recreated.  I seemed to remember
it was only if the parent directory is deleted that rules get evicted.
So that doesn't explain it for /boot!  Pretty darn hard to delete /!
But it could easily make sense for your other areas being watched...
But yes, if you watch /etc/shadow and someone accesses that inode
through another hard link, you will get audit records...