I would like to use -q flag in auditd rule, but the rule with the -q flag is not working or even added into the rules list. I have rule like this:
-a always,exit -F path=/home/lukashubl/ -q /home/lukashubl/dirtest,/home/lukashubl/dirtest/bin -F perm=rwxa
I am using auditbeat and I am getting this error:
flag provided but not defined: -q accessing '0'
I also tried to test the rule with auditctl:
auditctl -a always,exit -F path=/home/lukashubl/ -q /home/lukashubl/dirtest,/home/lukashubl/dirtest/bin -F perm=rwxa
But when I list all rules by auditcl -l, the rule is not there and no error at output.
What is the right syntax and usage of -q flag in auditd rule?
