On Tuesday, March 22, 2016 12:55:25 PM Warron S French wrote: > Does the "-e 2" have to be the last line of the audit.rules file? Yes. Once its sent to the kernel, the kernel rules tables are immutable. > Does it have to be listed prior to all of the syscalls and watches > configured in the file? No. This will make it not load anything. -Steve