Is it possible to audit only the events of creation and deletion of files?
I know that I can use a watch rule with a write filter to check if a file or directory is being created/delete, but this rule also generates audit entries when a file (inside the directory being tracked) is modified. Is there a way to prevent this?
Best Regards, -- Richard Maciel, MSc IBM Linux Technology Center [email protected] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
