Hello,

By default, does auditd audit read, write, execute, and attribute in audit
rules or do you need to specify
-F perm=wxra ?

For example,

-a always,exit -F path=/usr/bin/at -F perm=wrxa

vs

-a always,exit -F path=/usr/bin/at

Thanks and let me know if what I am asking doesn't make sense.

Gabriel Alford

Member of the technical staff

office of the chief technologist

red hat Public Sector

Red Hat

<https://www.redhat.com>

ralford@redhat.com    T: 972-707-6483 <650-254-4391>    M: 303-550-7234
<https://red.ht/sig> <https://red.ht/sig>