On Tuesday 02 August 2005 17:03, Michael C Thompson wrote: > auditctl -a entry,always -S open -F a2=448 -F exit!=0 -F auid=500 -F euid=0 You can't check exit at syscall entry. Does taking that out fix the problem? You cannot check: exit, success, major, minor, or inode at syscall entry. -Steve