audit.rules statement entered from
I am new to linux so maybe I'm misunderstanding somthing. After copying from /usr/share/doc/audit-1.7.7/nispom.rules to /etc/audit/audit.rules I can perform a ausearch on items that have a
-w flag:
-w /etc/localtime -p wa -k TIME_CHANGE
ausearch –k TIME_CHANGE
however items that have a -a flag
-a exit,always -F arch=b64 -S rmdir -S unlink -F exit=-EACCES -k delete
I perform a ausearch -k delete after I provoked a rmdir that of course failed however the ausearch response is somthing like "no match found". Should it have reported an attempt to delte a folder was made and failed?
Am I missing somthing or is this somthing I misunderstood. I thought if I attempted to delete a folder or directory (and failed) it would find the event and report back after perform an ausearch.
Thanks
John
|