I have configured auditd for PCI compliance reasons
PCI states that existing logs cannot be changed without generating an alert
This article http://ptresearch.blogspot.com/2010/11/requirement-10-track-and-monitor-all.html recommends doing this:
-w /var/log/ -k Logs_Accessed -p rwxa
Will this auditctl command work? Surely you will end up in a circle with an audit event writing to the log provoking another audit event etc?