sudo dnf install -y inotify-tools
inotifywait -m -e create xyz/ --format "%f"
-m: have inotifywait run continuously-e create: specify event to watch for as "create" eventxyz/: name of directory to watch--format "%f: have output print new filename
Events:
access file or directory contents were read
modify file or directory contents were written
attrib file or directory attributes changed
close_write file or directory closed, after being opened in
writeable mode
close_nowrite file or directory closed, after being opened in
read-only mode
close file or directory closed, regardless of read/write mode
open file or directory opened
moved_to file or directory moved to watched directory
moved_from file or directory moved from watched directory
move file or directory moved to or from watched directory
create file or directory created within watched directory
delete file or directory deleted within watched directory
delete_self file or directory was deleted
unmount file system containing file or directory unmounted
sudo dnf install -y audit audit-libs
remove default rule (blocks all other rules)
sudo auditctl -d never,task
auditd's log is located here:
/var/log/audit/audit.log
Its config file is located here:
/etc/audit/audit.conf
sudo auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange
-w /etc/ssh/sshd_config: specify file to watch-p rwxa: specify what to watch for; rwxa for read, write, execute and append respectively.-k sshconfigchange: key string to use to associate with this rule
sudo ausearch -k sshconfigchange
-k sshconfigchange: look for logs made from rules associated with specified key