On Wednesday 06 June 2007 14:40, Eric Howard wrote: > I have been tasked to generate test cases to validate the proper execution > of particular syscall audit flags. I think HP open sourced a test suite that tests the audit system: http://sourceforge.net/projects/audit-test > In most cases I have succeeded in triggering audit log entries. However, I > have been unable to trigger audit entries for the 'symlink call' My test > cases are generated by a shell script that execute commands to trigger the > relevant calls. In my test case I created a hard-link and a soft-link > using /bin/ln. Running strace indicated that the syscall was definitely > made but 'ausearch -sc symlink' shows nothing. I am using > audit-1.0.15-3.EL4. Any insight into this problem would be appreciated. Looking at the syscalls, it should trigger on something like: auditctl -a always,exit -S symlink Or were you testing it another way? -Steve