Best means of capturing audit changes to a certain filename under a path subtree? aka wildcard file watches

Hi, In the wake of the kernel.org attack, we're brushing up our security at Gentoo (I lead our infrastructure/IT team for Gentoo services). One of our self-identified weaknesses is auditing of changes to files used elsewhere in our automated verification processes. The audit subsystem gives a great general way to do this, but I can't identify how best to audit changes to a file when the entire path is not known ahead of time. It seems that it would best be accomplished with wildcards: /var/db/pkg/*/*/CONTENTS However, the last email on the ilst about wildcards, was from Steve, back in March 2006, responding to somebody asking about wildcard support, and Steve answered that it was potentially coming via a new patch. I think that patch was inotify, and inotify doesn't support wildcards. Since it seems to not be natively possible, what is the most efficient way of auditing those file changes? (They comprise some 2000 files out of 60k in that tree). -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2(a)gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85