Hello, By default, does auditd audit read, write, execute, and attribute in audit rules or do you need to specify -F perm=wxra ? For example, -a always,exit -F path=/usr/bin/at -F perm=wrxa vs -a always,exit -F path=/usr/bin/at Thanks and let me know if what I am asking doesn't make sense. Gabriel Alford Member of the technical staff office of the chief technologist red hat Public Sector Red Hat <https://www.redhat.com> ralford(a)redhat.com T: 972-707-6483 <650-254-4391> M: 303-550-7234 <https://red.ht/sig> <https://red.ht/sig>