-F perm in audit rules
Steve Grubb
sgrubb at redhat.com
Wed Sep 9 18:03:12 UTC 2020
On Tuesday, September 8, 2020 7:02:01 PM EDT Gabriel Alford wrote:
> Hello,
>
> By default, does auditd audit read, write, execute, and attribute in audit
> rules or do you need to specify
> -F perm=wxra ?
>
> For example,
>
> -a always,exit -F path=/usr/bin/at -F perm=wrxa
>
> vs
>
> -a always,exit -F path=/usr/bin/at
They are equivalent. Specifying -F perm= is so that you can fine tune what you
want instead of everything.
-Steve
More information about the Linux-audit
mailing list