Hello,

By default, does auditd audit read, write, execute, and attribute in audit rules or do you need to specify
-F perm=wxra ?

For example,

-a always,exit -F path=/usr/bin/at -F perm=wrxa

vs

-a always,exit -F path=/usr/bin/at

Thanks and let me know if what I am asking doesn't make sense.

Gabriel Alford

Member of the technical staff

office of the chief technologist

red hat Public Sector

Red Hat

ralford@redhat.com    T: 972-707-6483    M: 303-550-7234