We are using audit 1.6 in our system.
When I add a watch rule for write and append to a directory, the log will report any changes to the directory and all the sub directories as well.

Is there a way to exclude watching sub directories as well.

Example:

Watch directory /var/mydir

The tree for mydir is as follows:

 /var/mydir
     |
     ---- runtime
     |
     ---- dir1
     |
     ---- dir2

I would like to watch /var/mydir + /var/mydir/dir1 + /var/mydir/dir2, but exclude /var/mydir/runtime

Rule:
  -w /var/mydir -p aw

Is there a way to do what I am asking?

Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com