Vicky and Cleopatra, my solid gray kitty and my gray-and-white tabby kitty, have some supersensitive secrets that they need to safeguard. So, I created the secretcats group and added them to it. I then created the secretcats shared directory and set the access controls on it as I showed you how to do in Chapter 6, Access Control Lists and Shared Directory Management:

[donnie@localhost ~]$ sudo groupadd secretcats
[sudo] password for donnie:

[donnie@localhost ~]$ sudo usermod -a -G secretcats vicky
[donnie@localhost ~]$ sudo usermod -a -G secretcats cleopatra

[donnie@localhost ~]$ sudo mkdir /secretcats
[donnie@localhost ~]$ sudo chown nobody:secretcats /secretcats/
[donnie@localhost ~]$ sudo chmod 3770 /secretcats/

[donnie@localhost ~]$ ls -ld /secretcats/
drwxrws--T. 2 nobody secretcats 6 Dec 11 14:47 /secretcats/
[donnie@localhost ~]$

Vicky and Cleopatra want to be absolutely sure that nobody gets into their stuff, so they requested that I set up an auditing rule for their directory:

[donnie@localhost ~]$ sudo auditctl -w /secretcats/ -k secretcats_watch
[sudo] password for donnie:

[donnie@localhost ~]$ sudo auditctl -l
-w /etc/passwd -p wa -k passwd_changes
-w /secretcats -p rwxa -k secretcats_watch
[donnie@localhost ~]$

As before, the -w denotes what we want to monitor, and the -k denotes the name of the audit rule. This time, I left out the -p option because I want to monitor for every type of access. In other words, I want to monitor for any read, write, attribute change, or execute actions. (Because this is a directory, the execute action happens when somebody tries to cd into the directory.) You can see in the auditctl -l output that by leaving out the -p, we will now monitor for everything. However, let's say that I only want to monitor for when someone tries to cd into this directory. Instead, I could have made the rule look like this:

sudo auditctl -w /secretcats/ -p x -k secretcats_watch

Easy enough so far, right? Let's now look at something a bit more complex.