I try configure PCI REQ 10.5.5
"Use file integrity monitoring or change detection software on logs"
Use auditd for this,
rule "auditctl -w /tmp/testfile -p war" works perfectly.
But if I try to use stdout redirect on file like "echo "hi" >> /tmp/testfile"
Line is appended but in audit.log have no changes.
Is anybody knows how log all changes in file by using auditd?
Best Answer
I just tried this on Centos 6.3 and got the same result. Reading the file tripped auditd but the append using echo did not.
Including x seems to work. Change
-p war
to-p warx
and see if that works for you on Ubuntu.