How to configure Auditd to see directory name change?

auditd redhat-enterprise-linux

Solution 1:

If a subdirectory is a mountpoint, it will be skipped. Use '-q' to disable this behavior.

Also, verify that the rule loaded properly by running:

auditctl -l

to list all rules.

It is also advisable to use syscall rules (e.g., '-a') instead of watch rules ('-w') since the syscall rules are more versatile. The equivalent syscall rule for your rule is:

-a always,exit -F path=/some/place/special -F perm=rwxa

If the file movement is still not getting audited, I suggest, try some other operation, e.g., creating a file or a directory in the 'special' directory, since that will trigger the 'w' permission.

It is always a good idea to use some other operation with 'strace' to identify which syscalls are getting used.

Related

How to find the validation list for a cell?
Can open settings in Linux Mint only using the terminal and when logged in as the root user
Windows keyboard won't type capitalized T
How to merge three mp4 files with same encoding/codex by Avidemux using command line?
VBA - Using Excel Variable in Word
How to install Unity tweak tool and themes in Ubuntu 20.04?
I can't connect to ms sql instance - internal
How do I stop HP from opening system information? [duplicate]
What is the type of the UART chip used by Virtual Box?
How to secure OneNote cache ( having sensitive information)
MS Edge How to use command+D to Select the URL in the address bar to edit
enable track pad tapping in awesome wm