Can someone give me an example of how to audit the "date" command in the
audit.rules file. I would like for it to report only failures for a
user using the command. Root using the command would report nothing. I
can get this working for file watches but not for executables using:
-a exit,always -w /etc/shadow -S open -F success!=1
Thanks!