1

So I have this rule on auditctl:

-w /home/ec2-user/myfile -p rwa -k key-name

But when I run 

ausearch -f /home/ec2-user/myfile

or check the logs in /var/log/audit/audit.log, I can't see any reading record for that file, even when I am running cat, grep, vi, nano, against the file (even opened for reading in python). If I do a write/append change though, auditd will log it. Is there any other way to know what process is reading from a particular file?

Simon Ernesto Cardenas Zarate
  • 251
  • 1
  • 3
  • 12

1 Answers1

0

The above commands listed in your question do work as expected on a system where auditd/selinux is active. Tested on Fedora 33.

Is auditd installed and running on your system?

hargut
  • 3,908
  • 7
  • 10