From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: auditctl rule to monitor dir only (not all sub dir and files
	etc..)
Date: Thu, 26 Sep 2013 14:25:32 -0400
Message-ID: <18913033.s01T2HagDj@x2>
References: <5244548D.2080609@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5244548D.2080609@gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, September 26, 2013 05:36:45 PM Stefano Schiavi wrote:
> I am trying to use auditd to monitor changes to a directory. The problem
> is that when I setup a rule it does monitor the dir I specified but also
> all the sub dir and files making the monitor useless due to endless
> verbosity.
> 
> Here is the rule I setup:
> |auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|

A watch is really a syscall rule in disguise. If you place a watch on a
directory, auditctl will turn it into:

-a exit,always  -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

The -F dir field is recursive. However, if you just want to watch the directory
entries, you can change that to -F path.

-a exit,always  -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatch

This is not recursive and just watches the inode that the directory occupies.

-Steve