<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="post-text" itemprop="description">
<p>I am trying to use auditd to monitor changes to a directory.
The problem is that when I setup a rule it does monitor the dir
I specified but also all the sub dir and files making the
monitor useless due to endless verbosity.</p>
<p>Here is the rule I setup:</p>
<pre style="" class="lang-sh prettyprint prettyprinted"><code><span class="pln">auditctl </span><span class="pun">-</span><span class="pln">w </span><span class="pun">/</span><span class="pln">home</span><span class="pun">/</span><span class="pln">raven</span><span class="pun">/</span><span class="pln">public_html </span><span class="pun">-</span><span class="pln">p war </span><span class="pun">-</span><span class="pln">k raven</span><span class="pun">-</span><span class="pln">pubhtmlwatch</span></code></pre>
<p>when I search the logs using</p>
<pre style="" class="lang-sh prettyprint prettyprinted"><code><span class="pln">ausearch </span><span class="pun">-</span><span class="pln">k raven</span><span class="pun">-</span><span class="pln">pubhtmlwatch</span></code></pre>
<p>I get thousands of lines of logs that list everything under
public_html/</p>
<p>How can I limit the rule to changes on the directory specified
only? </p>
<p>Thank you very much.</p>
</div>
</body>
</html>