Hi All,

Can I use auditd to track content written to specific files? For example, in this case https://access.redhat.com/solutions/10107, how can I keep track of what string was written to `/etc/hosts` file over time and extract this information later from logs? 

The reason I asked this question is that I am trying to audit some simulated attack scenario and in this particular attack scenario I need to know the what content was written/changed to a sensitive file over time to fully understand the attack. Even if the attack deletes the contents of the sensitive file at time t_2, I need to extract what was written to file at time t_1.

Thanks,

Wajih