Hi All, Can I use auditd to track content written to specific files? For example, in this case https://access.redhat.com/solutions/10107, how can I keep track of what string was written to `/etc/hosts` file over time and extract this information later from logs? The reason I asked this question is that I am trying to audit some simulated attack scenario and in this particular attack scenario I need to know the what content was written/changed to a sensitive file over time to fully understand the attack. Even if the attack deletes the contents of the sensitive file at time t_2, I need to extract what was written to file at time t_1. Thanks, Wajih -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit