There appear to be two ways of specifying an auditd rule to watch a given file or folder. The first uses -a
-a exit,always -F dir=/path/to/file -F perm=wa -F success=1
And the second uses -w
-w /path/to/file -p wa
Aside from one being obviously shorter, the two appear to have the same effect. Is there some subtle difference between them I need to understand?
0 Answers