LinuxCommandLibrary

auditctl

Utility to control the behavior, get status and manage rules of the Linux Auditing System.

TLDR

Display the [s]tatus of the audit system

$ sudo auditctl -s
copy


[l]ist all currently loaded audit rules
$ sudo auditctl -l
copy


[D]elete all audit rules
$ sudo auditctl -D
copy


[e]nable/disable the audit system
$ sudo auditctl -e [1|0]
copy


Watch a file for changes
$ sudo auditctl -a always,exit -F arch=b64 -F path=[/path/to/file] -F perm=wa
copy


Recursively watch a directory for changes
$ sudo auditctl -a always,exit -F arch=b64 -F dir=[/path/to/directory/] -F perm=wa
copy


Display [h]elp
$ auditctl -h
copy

Copied to clipboard