1. The rules for monitoring '/etc/passwd', '/etc/shadow',
'/etc/group', '/etc/gshadow' exist. Shouldn't corresponding rules
also exist for the same four files which also have a dash/hyphen appended to them (i.e.
'/etc/passwd-', etc...)?
2. By adding 'audit=1' to grub kernel boot param's---can I then safely
eliminate this piece from all audit rules: '-F auid!=4294967295'?Conversely, what
harm would it do to 'just leave it'? It would, in some cases, satisfy certain
vulnerability scanning tools seeking exact syntax compliance, right?
Thank you.
R,-Joe Wulf