2
1
I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule, it monitors the directory I specified, but also all the subdirectories and files underneath it, making the monitoring useless due to endless verbosity.
Here is how I setup the rule:
auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch
When I search the logs using
ausearch -k raven-pubhtmlwatch
I get thousands of lines from the logs that list everything under public_html
.
How can I limit the rule to changes on the directory specified only?
1
also asked here: http://stackoverflow.com/q/19031898/7552
– glenn jackman – 2013-09-26T16:30:59.143