On Tuesday, December 20, 2011 12:55:49 PM Max Williams wrote: > How come this event is not ignored due to the 8th rule? I think I'm missing > something. One piece of information is missing. The enforcement of the audit policy is done by the kernel. What do you get for uname -r? -Steve