I would like to audit the file system for anyone creating new files
However I would like to exclude a directory from the watch list.
Here is the sample I have:
#3. create/Remove any files
-a exit,always -S creat -F path!=/var/myApp <--- line 21
-a exit,always -S unlink -F path!=/var/myApp
This is giving me the following error:
auditctl -R test.rules
No rules
AUDIT_STATUS: enabled=1 flag=1 pid=3413 rate_limit=0 backlog_limit=1024 lost=0 backlog=0
Error sending add rule data request (Invalid argument)
There was an error in line 21 of test.rules
Ameel Kamboh
SIP Core Network and Security
Phone: 972.685.4922 (esn 445-4922)
Mobile: 978-590-2280
SIP: akamboh@techtrial.com
email: akamboh@nortel.com