Hi,
I am using ubuntu 8.10.
kernel version: 2.6.27-7

I have added the rule.

root@bbb-laptop:/home/bbb# auditctl -l
LIST_RULES: exit,always watch=/home/bbb/hihi perm=rwa key=hihi

But no read/write action is recorded after doing cat. Only open syscall is recorded.

root@bbb-laptop:/home/bbb# cat hihi

Here's the audit log:

type=PATH msg=audit(1234807352.706:7284): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1234807563.618:7285): arch=40000003 syscall=5 success=yes exit=3 a0=bfb2a709 a1=8000 a2=0 a3=8000 items=1 ppid=7267 pid=26568 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=4294967295 comm="cat" exe="/bin/cat" key="hihi"
type=CWD msg=audit(1234807563.618:7285): cwd="/home/bbb"
type=PATH msg=audit(1234807563.618:7285): item=0 name="hihi" inode=930338 dev=08:12 mode=0100644 ouid=0 ogid=0 rdev=00:00



Below is my auditd configuration file:

root@bbb-laptop:/home/bbb# cat /etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND

Quoting 'man 8 auditctl': "These permissions are not the standard filepermissions, but rather the kind of syscall that would do this kind of thing. The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested.".