1. The rules for monitoring '/etc/passwd', '/etc/shadow', '/etc/group', '/etc/gshadow' exist. Shouldn't corresponding rules also exist for the same four files which also have a dash/hyphen appended to them (i.e. '/etc/passwd-', etc...)?
2. By adding 'audit=1' to grub kernel boot param's---can I then safely eliminate this piece from all audit rules: '-F auid!=4294967295'?
Conversely, what harm would it do to 'just leave it'? It would, in some cases, satisfy certain vulnerability scanning tools seeking exact syntax compliance, right?
Thank you.
R,
-Joe Wulf