From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit with path exception rule
Date: Tue, 24 Jul 2007 15:47:59 -0400
Message-ID: <200707241548.00142.sgrubb@redhat.com>
References: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <95470FF653FF324C8171194A81299CE01519EEA1@zrc2hxm2.corp.nortel.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, Alexander Viro <aviro@redhat.com>
List-Id: linux-audit@redhat.com

On Monday 23 July 2007 11:25:22 am Ameel Kamboh wrote:
> I would like to audit the file system for anyone creating new files
> However I would like to exclude a directory from the watch list.
>
> Here is the sample I have:
>
> #3.     create/Remove any files
> -a exit,always -S creat  -F path!=/var/myApp   <--- line 21
> -a exit,always -S unlink -F path!=/var/myApp

I was hoping one of the kernel people was going to jump in with an answer 
here. I have a feeling that the kernel doesn't allow it. I think it would be 
trivial to patch the kernel to allow this and we should. The rule you are 
trying to express seems reasonable to me.

-Steve