Hello, I want to be able to audit failed access to /etc/inittab but I don't think the current auditctl features able to accomplish it. auditctl -a watch,always /etc/inittab -F success=no This would be a syntax error..but auditctl -a exit,always -w /etc/inittab -F success=no How can I do it? Thanks, ____________________________________________________________________________________ Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. http://answers.yahoo.com/dir/?link=list&sid=396546091