I run the following, with the idea that I want to log any changes to the permissions of the home/username directory:
auditctl -w /home/username -p a
Then I run the following:
tail -f /var/log/audit/audit.log
and I watch changes. I open another terminal, ssh in, and I see the ssh in the audit.log as it happens. I switch to sudoer, I see it in the audit.log. When I close another terminal window, I see it in the audit.log.
However, if I do anything to /home/username, I see nothing. I chmod the directory using absolute and relative paths, nothing happens. I touch a new file in /home/username, nothing happens. I chmod that file, nothing happens.
I have tried everything in the following places:
Monitor or log directory permission changes?
and
https://unix.stackexchange.com/questions/196840/how-to-investigate-what-is-modifying-a-directories-permission-on-linux
and
https://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html and even https://access.redhat.com/solutions/10107
and absolutely nothing seems to work. ausearch reveals nothing and aureport shows no data. I used each of the variations on the theme listed in each of the above-mentioned references, and I cannot get anything to work.
what is odd, is that I can easily do this in ubuntu (it works fine) but not in my rhel-based instance (AWS Amazon Linux)
I am at a loss, can someone please pass some advice my way? I am probably missing something obvious.
Best Answer
and embarrassingly enough, after spending hours trying to figure out the answer this morning, I figure out the answer a few minutes after posting this.
Amazon Linux instances come with a line in the /etc/audit/audit.rules file that requires removal/commenting out in order to enable auditing.: -a never,task
So if you don't comment that line out, even if auditctl -l shows the rule, it will not get logged. The same line is in the /etc/audit/rules.d/audit.rules.default
hangs head in shame
I'll leave this up here in case other AWS users experience the same issue.