I am trying to use auditd to monitor changes to a directory. The problem
is that when I setup a rule it does monitor the dir I specified but also
all the sub dir and files making the monitor useless due to endless
verbosity.
Here is the rule I setup:
|auditctl-w/home/raven/public_html-p war-k raven-pubhtmlwatch|
when I search the logs using
|ausearch-k raven-pubhtmlwatch|
I get thousands of lines of logs that list everything under public_html/
How can I limit the rule to changes on the directory specified only?
Thank you very much.