On Tuesday 28 March 2006 13:15, Mont Rothstein wrote: This is in the latest capp.rules file. To find the file: [~]$ rpm -ql audit | grep capp /usr/share/doc/audit-1.0.14/capp.rules in it: ## File content modification. Permissions are checked at open time, ## monitoring individual read/write calls is not useful. -a entry,possible -S creat -S open -S truncate -S truncate64 -S ftruncate -S ftruncate64 ## directory operations -a entry,possible -S mkdir -S rmdir ## moving, removing, and linking -a entry,possible -S unlink -S rename -S link -S symlink I recommend combining rules where possible since this improves the overall performance...it has fewer rules to iterate through. -Steve