In our next scenario, we created a shared directory for Vicky and Cleopatra and created an audit rule for it that looks like this:
sudo auditctl -w /secretcats/ -k secretcats_watch
So, all accesses or attempted accesses to this directory should trigger an alert. First, let's have Vicky enter the /secretcats directory and run an ls -l command:
[vicky@localhost ~]$ cd /secretcats[vicky@localhost secretcats]$ ls -ltotal 4-rw-rw-r--. 1 cleopatra secretcats 31 Dec 12 11:49 cleopatrafile.txt[vicky@localhost secretcats]$
We see that Cleopatra has already been there and has created a file. (We'll get back to that in a moment.) When an event triggers an auditd rule, it often creates multiple records in ...