Disabling monitoring of a subfolder
Marcelo Cerri
mhcerri at linux.vnet.ibm.com
Mon Nov 28 15:48:37 UTC 2011
Hi,
You could use a syscall based form to write the rule.
First exclude the subdirectory that you don't want to watch (using
*never* as action):
auditctl -a exit,never -F dir=/var/mydata/tmp_data -k my-data
And then add a watcher to all the rest:
auditctl -a exit,always -F dir=/var/mydata -F perm=w -k my-data
Regards,
Marcelo
On 11/24/2011 12:46 PM, Marina Gray wrote:
> I have a folder which I'd like to monitor with auditd, with the
> exception of one specific subdirectory. Is there any way I can disable
> monitoring just that subdirectory, but keep monitoring the rest of the
> dir recursively as usual?
>
> Say, I first do:
>
> auditctl -w /var/mydata/ -k my-data -p w
>
> and want to exclude looking at /var/mydata/tmp_data/
>
>
> Thanks!
>
>
> M G
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
More information about the Linux-audit
mailing list