auditd

Basic

# list of active rules
auditctl -l

# load rules from /etc/audit/rules.d/
augenrules --load

auditd and cagefs

uname -r
Linux 2.6.32-673.26.1.lve1.4.29.el6.x86_64

auditctl -l
-w /home/ -p w -k rule_home222222222222222

grep 1597345110.576:11886907 /var/log/audit/audit.log

node=testhost type=SYSCALL msg=audit(1597345110.576:11886907): arch=c000003e syscall=263 success=yes exit=0 a0=ffffffffffffff9c a1=16440f0 a2=0 a3=7ffd47bcf400 items=2 ppid=3831869 pid=3831878 auid=4294967295 uid=562 gid=571 euid=562 suid=562 fsuid=562 egid=571 sgid=571 fsgid=571 tty=(none) ses=4294967295 comm="rm" exe="/bin/rm" key="rule_home222222222222222"
node=testhost type=CWD msg=audit(1597345110.576:11886907):  cwd="/home/used12890/public_html"
node=testhost type=PATH msg=audit(1597345110.576:11886907): item=0 name="/tmp/" inode=3240400416 dev=08:20 mode=040700 ouid=562 ogid=571 rdev=00:00 nametype=PARENT
node=testhosttype=PATH msg=audit(1597345110.576:11886907): item=1 name="/tmp/.cagefs.proxy.3831869" inode=3240852358 dev=08:20 mode=0100600 ouid=562 ogid=571 rdev=00:00 nametype=DELETE