28 May 2015
I used auditctl to help me track down what was modifying files on my Ubuntu server.
To remove an auditctl rule, you have to match each field in a rule.
Also remember to enable logging of ausearch/aureport.
I find that write + append give me readable logs, especially when dealing with Wordpress files. Otherwise, you’ll be sifting through thousands of repetitions of apache2 accessing the .php file.
In my case, auditctl/ausearch helped me track down a php file that was modifying files every couple of days.