So, something new for me as well... audit will not follow symlinks on file
watch.
See the following example:
> tw-audit:~ # ls -l /etc/issue
> lrwxrwxrwx 1 root root 12 Apr 5 2022 /etc/issue -> ../run/issue
> tw-audit:~ # auditctl -w /etc/issue -k w_issue
> tw-audit:~ # cat /etc/issue # nothing logged here
> ...
> tw-audit:~ # mv /etc/issue /etc/issue2 # this modifies the symlink itself, so it gets logged, see below
> tw-audit:~ # echo "hello" > /etc/issue # 'echo' is shell builtin, nothing logged
> tw-audit:~ # cat /etc/issue # this is logged now since /etc/issue is not a symlink anymore
> tw-audit:~ # /usr/bin/echo "hello" >> /etc/issue # using the 'echo' binary now, entry logged under 'proctitle=-bash'
> tw-audit:~ # ausearch -i -k w_issue
> ----
> type=PROCTITLE msg=audit(03/21/23 17:24:36.732:291) : proctitle=auditctl -w /etc/issue -k w_issue
> type=SYSCALL msg=audit(03/21/23 17:24:36.732:291) : arch=x86_64 syscall=sendto success=yes exit=1076 a0=0x4 a1=0x7ffda4fef0c0 a2=0x434 a3=0x0 items=0 ppid=1227 pid=2100 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=auditctl exe=/usr/sbin/auditctl subj=unconfined key=(null)
> type=CONFIG_CHANGE msg=audit(03/21/23 17:24:36.732:291) : auid=root ses=1 subj=unconfined op=add_rule key=w_issue list=exit res=yes
> ----
> type=PROCTITLE msg=audit(03/21/23 17:25:09.536:292) : proctitle=mv /etc/issue /etc/issue2
> type=PATH msg=audit(03/21/23 17:25:09.536:292) : item=3 name=/etc/issue2 inode=8367 dev=fd:02 mode=link,777 ouid=root ogid=root rdev=00:00 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(03/21/23 17:25:09.536:292) : item=2 name=/etc/issue inode=8367 dev=fd:02 mode=link,777 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(03/21/23 17:25:09.536:292) : item=1 name=/etc/ inode=131 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(03/21/23 17:25:09.536:292) : item=0 name=/etc/ inode=131 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(03/21/23 17:25:09.536:292) : cwd=/root
> type=SYSCALL msg=audit(03/21/23 17:25:09.536:292) : arch=x86_64 syscall=renameat2 success=yes exit=0 a0=AT_FDCWD a1=0x7ffe3d16e479 a2=AT_FDCWD a3=0x7ffe3d16e484 items=4 ppid=1227 pid=2118 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=mv exe=/usr/bin/mv subj=unconfined key=w_issue
> ----
> type=PROCTITLE msg=audit(03/21/23 17:26:06.488:293) : proctitle=cat /etc/issue
> type=PATH msg=audit(03/21/23 17:26:06.488:293) : item=0 name=/etc/issue inode=12814 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(03/21/23 17:26:06.488:293) : cwd=/root
> type=SYSCALL msg=audit(03/21/23 17:26:06.488:293) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7ffd3f9f6483 a2=O_RDONLY a3=0x0 items=1 ppid=1227 pid=2120 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=cat exe=/usr/bin/cat subj=unconfined key=w_issue
> ----
> type=PROCTITLE msg=audit(03/21/23 17:28:02.848:294) : proctitle=-bash
> type=PATH msg=audit(03/21/23 17:28:02.848:294) : item=1 name=/etc/issue inode=12814 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(03/21/23 17:28:02.848:294) : item=0 name=/etc/ inode=131 dev=fd:02 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(03/21/23 17:28:02.848:294) : cwd=/root
> type=SYSCALL msg=audit(03/21/23 17:28:02.848:294) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x55c9aa5d38a0 a2=O_WRONLY|O_CREAT|O_APPEND a3=0x1b6 items=2 ppid=1227 pid=2123 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=bash exe=/usr/bin/bash subj=unconfined key=w_issue