[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

'Nested rule' error message when getting auditd set up on my server



Hello,

I'm trying to figure out which processes are deleting files from a specific directory, so I want to set up and run auditd on my system.

I've set up the following (only) rule in audit.rules:

-a exit,always -F arch=x86_64 -S unlinkat -S truncate -S ftruncate -F dir=/home/myfolder/cache -F key=cache_deletion

Then I type this to start the audit daemon:

auditctl -R /etc/audit/audit.rules -e 1

But I get this error message:

Error - nested rule files not supported

Does anyone know what I am doing wrong here, and how I can resolve this?

Tola

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]