1
In my /etc/audit/audit.rules
, I have the following watch:
-w /some/place/special -p rwxa -k my_key
On my filesystem, I have the following tree:
/some/place/special/foo/test-rename/james/sub-subdirectory1/a_file
...but no event is showing up in the log when I run:
mv /some/place/special/foo/test-rename/james/sub-subdirectory1/a_file /some/place/special/foo/test-rename/bill/sub-subdirectory1/a_file
How do I configure auditd
to catch this?