1
Im using a rule in auditd which is:
-w /etc -p wa -k watch_etc
But upon checking the report using ausearch -k watch_etc -ts today | aureport -f -i
I can't seem to find the changes I've made in the directory /etc/auditd/rules.d/
.
However, creating a file under /etc/
will create an entry on the report that I've used touch
command.
01/24/2019 09:11:03 test open yes /usr/bin/touch root 7441