auditctl rule to monitor dir only (not all sub dir and files etc..)
Stefano Schiavi
stefanoschiavi00 at gmail.com
Thu Sep 26 15:36:45 UTC 2013
I am trying to use auditd to monitor changes to a directory. The problem
is that when I setup a rule it does monitor the dir I specified but also
all the sub dir and files making the monitor useless due to endless
verbosity.
Here is the rule I setup:
|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
when I search the logs using
|ausearch-k raven-pubhtmlwatch|
I get thousands of lines of logs that list everything under public_html/
How can I limit the rule to changes on the directory specified only?
Thank you very much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20130926/43ce2ce4/attachment.htm>
More information about the Linux-audit
mailing list