On Monday 23 July 2007 11:25:22 am Ameel Kamboh wrote: > I would like to audit the file system for anyone creating new files > However I would like to exclude a directory from the watch list. > > Here is the sample I have: > > #3. create/Remove any files > -a exit,always -S creat -F path!=/var/myApp <--- line 21 > -a exit,always -S unlink -F path!=/var/myApp
I was hoping one of the kernel people was going to jump in with an answer here. I have a feeling that the kernel doesn't allow it. I think it would be trivial to patch the kernel to allow this and we should. The rule you are trying to express seems reasonable to me. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
