start:
binmode = off
streammode = on
stream:
cmds = /etc/security/audit/cccstream
classes:
…
filewatch = PROC_Create,PROC_Delete,FILE_Open,FILE_Write,FILE_Close,FILE_ Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Fchmod,FILE_Fchown,FS_Chdir,FS_Fchdir,FS_Chroot,FS_Mkdir,FS_Rmdir,FILE_Symlink,FILE_Dupfd,FILE_Mknod,FILE_Utimes
users:
root = filewatch
default = filewatch
Note:
-
In this case, default refers to all users that are not root. Further note that the last line of the config file should be a blank line.
-
Each parameter (binmode, streammode, filewatch, root, and default) must have a tab in front of them. You can verify that the audit system has used all variables properly by using the audit query command. Make sure the filewatch property appears in the output.