I run the following, with the idea that I want to log any changes to the permissions of the home/username directory:
auditctl -w /home/username -p a
Then I run the following:
tail -f /var/log/audit/audit.log
and I watch changes. I open another terminal, ssh in, and I see the ssh in the audit.log as it happens. I switch to sudoer, I see it in the audit.log. When I close another terminal window, I see it in the audit.log.
However, if I do anything to /home/username, I see nothing. I chmod the directory using absolute and relative paths, nothing happens. I touch a new file in /home/username, nothing happens. I chmod that file, nothing happens.
I have tried everything in the following places: Monitor or log directory permission changes? and https://unix.stackexchange.com/questions/196840/how-to-investigate-what-is-modifying-a-directories-permission-on-linux and https://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html and even https://access.redhat.com/solutions/10107
and absolutely nothing seems to work. ausearch reveals nothing and aureport shows no data. I used each of the variations on the theme listed in each of the above-mentioned references, and I cannot get anything to work.
what is odd, is that I can easily do this in ubuntu (it works fine) but not in my rhel-based instance (AWS Amazon Linux)
I am at a loss, can someone please pass some advice my way? I am probably missing something obvious.
