On Saturday, March 11, 2017 11:48:53 PM EDT Warron French wrote: The "-w /etc" is the same thing as "-F dir=/etc". They both go down all the way until you hit a new mount point. So, for the sake of discussion, suppose /dev/sdb3 was mounted at /etc/sysconfig/, then anything under /etc/sysconfig/ will not be audited. To fix this, you need to add a rule with the -q option to tell the kernel that the mounted file system should be considered equivalent to the directory being watched. I also think that if you have any symlinks that point out of the subtree, that they may not get watched because they actually resolve to another path. I'd have to test that to be 100% sure, though. Also note that during path resolution if there is a permission problem at a directory level and the object was below it, you may not get an event or only an event at the directory where the permission was blocked. -Steve