Hello, I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system.
I've set up the following (only) rule in audit.rules: -a exit,always -F arch=x86_64 -S unlinkat -S truncate -S ftruncate -F dir=/home/myfolder/cache -F key=cache_deletion Then I type this to start the audit daemon: auditctl -R /etc/audit/audit.rules -e 1 But I get this error message: Error - nested rule files not supported Does anyone know what I am doing wrong here, and how I can resolve this? Tola
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
