I noticed a weird behavior. I NFS mount /usr/local on my Redhat machines. If I put a watch for a directory in that NFS mount:
-w /usr/local/mywatchdir/ -p rwxa -F exit!=-ENODATA -F success!=1 -k watch On Redhat 6.4, I don't see audit events when trying to remove or change files in that dir. On Redhat 6.8, I do see the audit events when trying to remove or changes files in that dir. Any ideas of possible features added to auditd between those releases? I would like to be able to speak to it for security audits. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
