I note from the auditctl man page that sending a shorter list of audit rules to the kernel is preferrable. Specifically, specifying lots of system calls in a single rule is recommended. However, this makes audit.rules unpleasant to look at and impossible to comment. While audit.rules allows comments to be put on their own lines, it doesn't allow a rule to be split over multiple lines, or comments at the end of lines. So rather than: -a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown -S creat -S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S execve -S vfork -S fork -S clone -F auid!= 101 -F auid!=102 -F auid!=103 it would be much nicer to write something like: -a entry,always -S chmod -S fchmod -S chown -S fchown -S lchown # Attribute changes -S creat -S truncate -S ftruncate -S mkdir -S rmdir -S exit -S exit_group -S execve -S vfork -S fork -S clone # Task creation -F auid!= 101 -F auid!=102 -F auid!=103 # Filter Oracle activity Matt -- Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490