auditctl

linux

Utility to control the behavior, get status and manage rules of the Linux Auditing System.

Examples (7)

Display the [s]tatus of the audit system

sudo auditctl -s

[l]ist all currently loaded audit rules

sudo auditctl -l

[D]elete all audit rules

sudo auditctl -D

[e]nable/disable the audit system

sudo auditctl -e 1|0

Watch a file for changes

sudo auditctl -a always,exit -F arch=b64 -F path=/path/to/file -F perm=wa

Recursively watch a directory for changes

sudo auditctl -a always,exit -F arch=b64 -F dir=/path/to/directory/ -F perm=wa

Display [h]elp

auditctl -h