In my /etc/audit/audit.rules, I have the following watch:
-w /some/place/special -p rwxa -k my_key
On my filesystem, I have the following tree:
/some/place/special/foo/test-rename/james/sub-subdirectory1/a_file
...but no event is showing up in the log when I run:
mv /some/place/special/foo/test-rename/james/sub-subdirectory1/a_file /some/place/special/foo/test-rename/bill/sub-subdirectory1/a_file
How do I configure auditd to catch this?
If a subdirectory is a mountpoint, it will be skipped. Use '-q' to disable this behavior.
Also, verify that the rule loaded properly by running:
auditctl -l
to list all rules.
It is also advisable to use syscall rules (e.g., '-a') instead of watch rules ('-w') since the syscall rules are more versatile. The equivalent syscall rule for your rule is:
-a always,exit -F path=/some/place/special -F perm=rwxa
If the file movement is still not getting audited, I suggest, try some other operation, e.g., creating a file or a directory in the 'special' directory, since that will trigger the 'w' permission.
It is always a good idea to use some other operation with 'strace' to identify which syscalls are getting used.
