I was doing some testing on the lspp .80 kernel and discovered that when issuing a simple watch on ia64, I didn't get audit records as I expected. For example, auditctl -w /foo, which defaults to -p rwxa, followed by a chmod or a chcon on the file generated no audit records. I filed this bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239887 The problem exists but is less severe on other architectures. Klaus posted a patch in the bugzilla (see below) and also recommended that unknown syscalls not be silently ignored. I have tested Klaus' patch and it solves the problem I saw on ia64. I'm sure Klaus would be happy to post a signed off patch. -- ljk --- linux-2.6.18.i686/kernel/auditfilter.c.lspp.80 2007-05-11 17:06:08.000000000 -0500 +++ linux-2.6.18.i686/kernel/auditfilter.c 2007-05-11 17:09:37.000000000 -0500 @@ -306,7 +306,7 @@ int audit_match_class(int class, unsigned syscall) { - if (unlikely(syscall >= AUDIT_BITMASK_SIZE * sizeof(__u32))) + if (unlikely(syscall >= AUDIT_BITMASK_SIZE * 32)) return 0; if (unlikely(class >= AUDIT_SYSCALL_CLASSES || !classes[class])) return 0;