On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote: No, a watch applies to file ops and not the chdir syscall. However, you can create a syscall audit rule that works sometimes: -a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd This will catch the case where they have permission to cd into that directory. But if they don't have permission to go beyond dir in the above example, then you have to resort to something more like: -a always,exit -S chdir -F exit=-EACCES -k evil-cd Which gets it and every other cd that fails due to permissions. This is because the path lookup inside the kernel never completes due to permissions, so the audit system has no full path to check against. You can cut down the false positives by adding -F auid>=500. And also use the -F arch=b32 and b64 for biarch systems. -Steve