I am still seeing some problems with missing watch records ... here is one scenario: auditctl -w /tmp/file -k test-key (watch insert record generated) touch /tmp/file (watch record generated ) echo "testing" > /tmp/file1 (NO record) rm /tmp/file1 (NO record & kernel hangs) It looks like the system hangs every time I attempt to remove a watched file. - Loulwa