diff --git a/audit.rules b/audit.rules
index 011e398..94a0472 100644
--- a/audit.rules
+++ b/audit.rules
@@ -338,9 +338,9 @@
 ### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
 ### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_authentication_and_authorization_in_rhel/index
 
--w /etc/nsswitch.conf -p x -k T1078_Valid_Accounts
--w /etc/sssd/sssd.conf -p x -k T1078_Valid_Accounts
--w /etc/openldap/ldap.conf -p x -k T1078_Valid_Accounts
+-w /etc/nsswitch.conf -p wa -k T1078_Valid_Accounts
+-w /etc/sssd/sssd.conf -p wa -k T1078_Valid_Accounts
+-w /etc/openldap/ldap.conf -p wa -k T1078_Valid_Accounts
 
 -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
 -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts