How to Watch All Directories(Includes All Subdirectories) using Auditd?

1

Im using a rule in auditd which is:
-w /etc -p wa -k watch_etc
But upon checking the report using ausearch -k watch_etc -ts today | aureport -f -i
I can't seem to find the changes I've made in the directory /etc/auditd/rules.d/.
However, creating a file under /etc/ will create an entry on the report that I've used touch command.

01/24/2019 09:11:03 test open yes /usr/bin/touch root 7441

Gilroy Toledano

Posted 2019-01-24T01:24:45.497

Reputation: 11

Answers

0

I came across a thread that uses a different method but with the same results. I've come up with a solution: 

-a exit,always  -F dir=/etc  -p wa -F key=watch_etc

Gilroy Toledano

Posted 2019-01-24T01:24:45.497

Reputation: 11

Asked: 2019-01-24T01:24:45.497

Viewed: 183 times

Active: 2019-01-24T01:53:53.810