I have the following setup: OS: Gentoo Kenrel: 2.6.26-gentoo-r3 The karnel was compiled with Audit Support and INOTIFY support (DNOTIFY was _not_ included in kernel). I have the following setup for auditd daemon: log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = none max_log_file = 3 max_log_file_action = ROTATE space_left = 100 space_left_action = EMAIL action_mail_acct = darkone admin_space_left = 75 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = EXEC /home/darkone/scripts/audit_disk_error.sh I run audit daemon and I added the following rules: <snap> auditctl -a exclude,never -w /home/darkone/testfile -k exclude_file -p rwxa auditctl -a exit,always -w /home/darkone/ -k test_file -S all </snap> When I list the rules loaded(using the auditctl -l command) the following is printed: <snap> LIST_RULES: exit,always dir=/home/darkone (0xd) perm=rwxa key=test_file LIST_RULES: exit,always watch=/home/darkone/testfile perm=rwxa key=exclude_file </snap> As you can see all rules was added to the exit table and no rules was added to the excluded table. The purpose was to generate any event regarding /home/darkone directory excluding /home/darkone/testfile. This was not possible. Also take a look in what order rules was added. First I added the exclude rule but when listing them the exclude rule was placed at the end of the table.
Sorry I forget to post the audit version sys-process/audit-1.7.3
Similar rules seem to work here on a much newer audit, please retest.
