From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Ameel Kamboh" <akamboh@nortel.com>
Subject: Exclusion with recursive watch
Date: Thu, 19 Feb 2009 10:30:05 -0500
Message-ID: <4620668FFAA3D5458A691287D9DDAD11014C81ED@zrtphxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0969378251=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1JFUR5Q000812
	for <linux-audit@redhat.com>; Thu, 19 Feb 2009 10:30:27 -0500
Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1JFUEuu028122
	for <linux-audit@redhat.com>; Thu, 19 Feb 2009 10:30:14 -0500
Received: from zrtphxm2.corp.nortel.com (zrtphxm2.corp.nortel.com
	[47.140.202.51])
	by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id
	n1JFUB014421
	for <linux-audit@redhat.com>; Thu, 19 Feb 2009 15:30:11 GMT
Content-class: urn:content-classes:message
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.

--===============0969378251==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C992A6.F08AC1B8"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C992A6.F08AC1B8
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

I am currently using audit-1.6.5-9.el5.
I have watch rules that look for modifications to directory content,
example:

    -w  /etc -p aw

I would like to add an exception not to watch "/etc/mydir".
I know that audit 1.6 will watch /etc and all subdirs within that.
Is there a way I can add this exception?

Thanks
Ameel

------_=_NextPart_001_01C992A6.F08AC1B8
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7653.38">
<TITLE>Exclusion with recursive watch</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">I am currently using =
audit-1.6.5-9.el5.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">I have watch rules that look for =
modifications to directory content, example:</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">&nbsp;&nbsp;&nbsp; -w&nbsp; /etc -p =
aw</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">I would like to add an exception not to =
watch &quot;/etc/mydir&quot;.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">I know that audit 1.6 will watch /etc =
and all subdirs within that.</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Is there a way I can add this =
exception?</FONT>
<BR>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Thanks</FONT>

<BR><FONT SIZE=3D2 FACE=3D"Arial">Ameel</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C992A6.F08AC1B8--


--===============0969378251==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============0969378251==--

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Exclusion with recursive watch
Date: Thu, 19 Feb 2009 13:43:11 -0500
Message-ID: <200902191343.11497.sgrubb@redhat.com>
References: <4620668FFAA3D5458A691287D9DDAD11014C81ED@zrtphxm2.corp.nortel.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4620668FFAA3D5458A691287D9DDAD11014C81ED@zrtphxm2.corp.nortel.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 19 February 2009 10:30:05 am Ameel Kamboh wrote:
>     -w  /etc -p aw
>
> I would like to add an exception not to watch "/etc/mydir".
> I know that audit 1.6 will watch /etc and all subdirs within that.
> Is there a way I can add this exception?

Not today. That is a kernel issue. Al corrected this in a patch that should 
have landed in the 2.6.29 kernel. I believe this will also be fixed in the 
next RHEL kernel.

-Steve