Newer versions of audit missing information?
Steve Grubb
sgrubb at redhat.com
Mon Feb 28 20:46:38 UTC 2022
On Monday, February 28, 2022 12:29:54 PM EST Mark Gardner wrote:
<snip>
> Notice no information on what file was copied / removed?
>
> Even the earlier log entries don't show what file was copied / removed.
This might be related to record formats changing.
> If I downgrade to audit 3.0-0.17, everything is there.
>
> Is there another way to monitor a directory so we know which files were
> modified / removed?
Well, you can always do ausearch -k test --raw | aureport -f
I'll take a look and see if I can spot what has changed and how this could be
fixed.
-Steve
More information about the Linux-audit
mailing list