1. The rules for monitoring '/etc/passwd', '/etc/shadow', '/etc/group', '/etc/gshadow' exist. Shouldn't corresponding rules also exist for the same four files which also have a dash/hyphen appended to them (i.e. '/etc/passwd-', etc...)? 2. By adding 'audit=1' to grub kernel boot param's---can I then safely eliminate this piece from all audit rules: '-F auid!=4294967295'?Conversely, what harm would it do to 'just leave it'? It would, in some cases, satisfy certain vulnerability scanning tools seeking exact syntax compliance, right?
Thank you. R,-Joe Wulf
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
