1

Im using a rule in auditd which is:
-w /etc -p wa -k watch_etc
But upon checking the report using ausearch -k watch_etc -ts today | aureport -f -i
I can't seem to find the changes I've made in the directory /etc/auditd/rules.d/.
However, creating a file under /etc/ will create an entry on the report that I've used touch command.

01/24/2019 09:11:03 test open yes /usr/bin/touch root 7441

Gilroy
  • 11
  • 4

1 Answers1

0

I came across a thread that uses a different method but with the same results. I've come up with a solution: 

-a exit,always  -F dir=/etc  -p wa -F key=watch_etc
Gilroy
  • 11
  • 4
  • Hi Gilroy. Please consider explaining what each option does in the above line, or referencing a thread that explains this. Thank you. – TelamonAegisthus May 26 '22 at 00:49
  • @TelamonAegisthus see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls – smac89 Sep 09 '22 at 04:18