I know that I can add to the audit.rules file a rule like -w /etc/ -p rawx -k watch_Etc But how far down will this sort of audit rule monitor /etc/? How many levels deep? Thanks.