logging root authorized_keys file manipulation

[borross]

for correct logging add pls under the section ## root ssh key tampering such value
-w /root/.ssh/authorized_keys -p wa -k rootkey

Commands for check:

ssh-keygen -t rsa -f test_key
cat test_key.pub >> /root/.ssh/authorized_keys

Log sample:

type=PATH msg=audit(1723720092.480:12186438): item=0 name="/root/.ssh/authorized_keys" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

[Pierre-Gronau-ndaal]

what about:

-a always,exit -F arch=b32 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey
-a always,exit -F arch=b64 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey