
Чтобы удалить их позже, замените auditctl на -a : for syscall in open stat lstat read write doĪuditctl -d exit,always -F arch=b64 -S $syscall \ Can be either file, dir, socket, symlink, May be numeric or the user account name.įiletype The target file's type.

May be numeric or the groups name.Įuid Effective User ID.

Watch on the directory and its whole subtree.
