I am trying to use auditd to monitor changes to a directory. The problem is that when I setup a rule it does monitor the dir I specified but also all the sub dir and files making the monitor useless due to endless verbosity.
Here is the rule I setup:
auditctl -w /home/raven/public_html -p war -k raven-pubhtmlwatch
when I search the logs using
ausearch -k raven-pubhtmlwatch
I get thousands of lines of logs that list everything under public_html/
How can I limit the rule to changes on the directory specified only?
Thank you very much.