I have a couple of requirements which on the face of it don't seem simple to achieve with auditctl. These are: * Audit changes to executables * Audit changes to configuration files I'll concentrate on the former as it's more obviously problematic. I believe this would require putting a watch explicitly on every executable in the system. If this isn't correct, please correct me and this problem goes away. Assuming it is, though, I don't believe this is a practical solution. It occurs to me that this might be more easily achieved with SELinux. As a test, I made the following small change to the unconfined domain of the RHEL 4 targeted policy macros/global_macros.te: define(`executable_files', `{ exec_type sbin_t bin_t lib_t shlib_t ld_so_t }') #allow $1 file_type:dir_file_class_set *; allow $1 file_type:dir_file_class_set ~execute; allow $1 executable_files:dir_file_class_set *; auditallow $1 executable_files:dir_file_class_set { create write rename setattr append relabelfrom }; This does 2 things. Firstly it enforces that the system won't execute files which aren't labelled with an executable type. This is really just to make sure everything is caught by the second rule, which is to audit changes to executables. To make this thorough, you'd have to go through everywhere else execute is granted in other domains. However, I'm worried I might be stepping outside design intentions. Is the above a good idea? Is using SELinux for writing auditing rules a good idea in general? uIs there a better way to achieve this and similar requirements which affect a potentially large class of file? Thanks, Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490