(It would be nice to be able to choose to get logging of all instances of denial in permissive mode.) But the denial is the same whether I do 'ls /etc/shadow' or 'mv /etc/shadow /etc/shadow.save'. Is there a way to show the different system calls? I'm sure there is, but I'm just getting started in the nitty-gritty of this stuff and a few hints would be appreciated. Here's my situation: I have a customer who wants to audit specific commands on specific files and directories, i.e., who's doing what to whom and when. Is there an "easy" way to do something like that? Thanks, and I'll try not to bug you any more. Tom Browder
