Hi All; I need watch to write operations from all directorys in root(/), but not watch example /proc and /dev paths? Example, i write this rule to audit.rules file; with -w parameter: -w /home -p w -k WriteProcess -w /home -p r -k ReadProcess This is running, but this technic require write all directory names(listed all top directory names from top level root directory). Example: /home, /etc, /opt ... But yet, i need this directory names automatically watch with audit daemon. If adding directory to system, this directory not watching(if not adding manually). e.g. -> user added directory to /testing(mkdir /testing). At work, not watch write permissions, because not defined to audit.rules file. I have try -W parameter, for remove a watch from watching list; after watch / directory with -w. -w / -p w -W /proc But, not working? How to configure /etc/audit/audit.rules file for my request?