I am new to linux so maybe I'm misunderstanding somthing. After copying from /usr/share/doc/audit-1.7.7/nispom.rules to /etc/audit/audit.rules I can perform a ausearch on items that have a
-w flag:

-w /etc/localtime -p wa -k TIME_CHANGE

ausearch –k TIME_CHANGE

however items that have a -a flag

-a exit,always -F arch=b64 -S rmdir -S unlink -F exit=-EACCES -k delete

I perform a ausearch -k delete after I provoked a rmdir that of course failed however the ausearch response is somthing like "no match found". Should it have reported an attempt to delte a folder was made and failed?

Am I missing somthing or is this somthing I misunderstood. I thought if I attempted to delete a folder or directory (and failed) it would find the event and report back after perform an ausearch.

Thanks
John

Add a '-a entry,always -S rmdir -S unlink -k delete' rule and test to see if that works?