Not sure how Linux handles this, but on Irix, when I accidentally tried to audit one of the "write" audit record types, it would crash the machine. If I still understand this correctly (it's been a few years), the record I had selected for audit generated/collected an audit record every time ANYTHING got written to, including terminal devices, not just when you issued a "save" on a file, so every character that I typed created an audit record. It was very ugly, and definitely not what I wanted (and definitely not anything anyone was requiring me to collect).
Food For thought, Karen Wieprecht -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
