auditctl

Utility to control the behavior, get status and manage rules of the Linux Auditing System. More information: https://manned.org/auditctl.

• Display the status of the audit system:

sudo auditctl -s

• list all currently loaded audit rules:

sudo auditctl -l

• Delete all audit rules:

sudo auditctl -D

• enable/disable the audit system:

sudo auditctl -e 1|0

• Watch a file for changes:

sudo auditctl -a always,exit -F arch=b64 -F path=/path/to/file -F perm=wa

• Recursively watch a directory for changes:

sudo auditctl -a always,exit -F arch=b64 -F dir=/path/to/directory/ -F perm=wa

• Display help:

auditctl -h