From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefano Schiavi <stefanoschiavi00@gmail.com>
Subject: auditctl rule to monitor dir only (not all sub dir and files etc..)
Date: Thu, 26 Sep 2013 17:36:45 +0200
Message-ID: <5244548D.2080609@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4269652566790059951=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx12.extmail.prod.ext.phx2.redhat.com
	[10.5.110.17])
	by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id r8QFao4o029796
	for <linux-audit@redhat.com>; Thu, 26 Sep 2013 11:36:50 -0400
Received: from mail-ea0-f177.google.com (mail-ea0-f177.google.com
	[209.85.215.177])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id r8QFamjb027931
	for <linux-audit@redhat.com>; Thu, 26 Sep 2013 11:36:49 -0400
Received: by mail-ea0-f177.google.com with SMTP id f15so636228eak.36
	for <linux-audit@redhat.com>; Thu, 26 Sep 2013 08:36:48 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

This is a multi-part message in MIME format.
--===============4269652566790059951==
Content-Type: multipart/alternative;
	boundary="------------060007010003090002090007"

This is a multi-part message in MIME format.
--------------060007010003090002090007
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I am trying to use auditd to monitor changes to a directory. The problem 
is that when I setup a rule it does monitor the dir I specified but also 
all the sub dir and files making the monitor useless due to endless 
verbosity.

Here is the rule I setup:

|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|

when I search the logs using

|ausearch-k raven-pubhtmlwatch|

I get thousands of lines of logs that list everything under public_html/

How can I limit the rule to changes on the directory specified only?

Thank you very much.


--------------060007010003090002090007
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="post-text" itemprop="description">
      <p>I am trying to use auditd to monitor changes to a directory.
        The problem is that when I setup a rule it does monitor the dir
        I specified but also all the sub dir and files making the
        monitor useless due to endless verbosity.</p>
      <p>Here is the rule I setup:</p>
      <pre style="" class="lang-sh prettyprint prettyprinted"><code><span class="pln">auditctl </span><span class="pun">-</span><span class="pln">w </span><span class="pun">/</span><span class="pln">home</span><span class="pun">/</span><span class="pln">raven</span><span class="pun">/</span><span class="pln">public_html </span><span class="pun">-</span><span class="pln">p war </span><span class="pun">-</span><span class="pln">k raven</span><span class="pun">-</span><span class="pln">pubhtmlwatch</span></code></pre>
      <p>when I search the logs using</p>
      <pre style="" class="lang-sh prettyprint prettyprinted"><code><span class="pln">ausearch </span><span class="pun">-</span><span class="pln">k raven</span><span class="pun">-</span><span class="pln">pubhtmlwatch</span></code></pre>
      <p>I get thousands of lines of logs that list everything under
        public_html/</p>
      <p>How can I limit the rule to changes on the directory specified
        only? </p>
      <p>Thank you very much.</p>
    </div>
  </body>
</html>

--------------060007010003090002090007--


--===============4269652566790059951==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============4269652566790059951==--