On Tuesday 20 January 2009 11:11:52 am Ameel Kamboh wrote: > Is there a way to exclude watching sub directories as well.
Today, not that I know of. A patch was submitted into the latest development kernel (2.6.29) to preserve watch ordering. But you will have to make some changes to the rules. A typical watch looks like this: -w /var/mydir -p wa -k mywatch its the same as: -a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch In the future, you will be able to do: -a never,exit -F dir=/var/mydir/runtime -a always,exit -F dir=/var/mydir -F perms=wa -F key=mywatch in that specific order since first match wins. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
