Hi,
You could use a syscall based form to write the rule.
First exclude the subdirectory that you don't want to watch (using
*never* as action):
auditctl -a exit,never -F dir=/var/mydata/tmp_data -k my-data
And then add a watcher to all the rest:
auditctl -a exit,always -F dir=/var/mydata -F perm=w -k my-data
Regards,
Marcelo
On 11/24/2011 12:46 PM, Marina Gray wrote:
I have a folder which I'd like to monitor with auditd, with the
exception of one specific subdirectory. Is there any way I can disable
monitoring just that subdirectory, but keep monitoring the rest of the
dir recursively as usual?
Say, I first do:
auditctl -w /var/mydata/ -k my-data -p w
and want to exclude looking at /var/mydata/tmp_data/
Thanks!
M G
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
