The syntax for the audit rules file enables you to perform ANDing and ORing operations.
For a given subtree directive, all pattern matching statements are logically ANDed with the subtree. Patterns have the following syntax:
Wildcards are permitted for both the subtree and pattern matching statements.
The exclamation point (!) character represents logical NOT.
A pattern that terminates with a slash is a subtree. The absence of a slash indicates that the pattern is not a directory. The subtree itself does not require an end slash.
For example, the following subtree example includes the contents of /home/nickiso/src except for object files, core files, and all of the SCCS subtrees. Note that directory names that terminate with .o and directories named core are not excluded because the patterns specified do not terminate with /.
/home/nickiso/src !*.o !core !SCCS/ CHECK all
Group multiple subtree directives together. Such subtree directives are logically ORed together.
/home/nickiso/src !*.o !core /home/nickiso/Mail /home/nickiso/docs *.sdw CHECK all IGNORE mtime lnmtime dirmtime
The files included in the previous example are as follows:
Everything under /home/nickiso/src except for *.o and core files
Everything under /home/nickiso/Mail
All files under /home/nickiso/docs that end in *.sdw
For these files, all attributes are checked except for modification times.