Steve Grubb wrote: > > You use file watches: > > auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed > > There are examples of this in the CAPP & LSPP rules. You can find this > by 'rpm -ql audit | grep lspp' Thanks Steve. I completely overlooked the example files. -- Bill