i am trying to setup the below rule in /etc/audit/audit.rules
-a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>= 1000 -F auid!=4294967295 -k delete
which didn't work so i tried executing it directly from command line as so :
auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>= 1000 -F auid!=4294967295 -k delete
But i am getting the following error :
-F missing operation for auid
Can someone guide me on how to fix this issue ?
Best Answer
Executing the mentioned lines leads to greater than sign
>
being interpreted as redirect operator by your shell, which is presumablybash
. For that reason the operation forauid
is missing, because everthing after>
is not part of the command anymore. You probably see a file named=
in your current directory.To properly execute you have to escape
>
for example like this:or like this: