Use the event.file.monitor.user.skiplist parameter to specify a list of users to exclude from advanced monitoring for files. For these users, the auditing service does not record any write access to directories specified in event.file.monitor.

For users specified in this list, the auditing service checks this list against the original login user.

For example:

The event.file.monitor.user.skiplist parameter does not include the user dwirth. Dwirth uses the following command:

dzdo cp /tmp/badfile /etc/badfile

This activity generates the following audit event:

user dwirth run as root opened the file /etc/badfile using the /bin/cp command.

To use this parameter, you must have enabled the agent to perform advanced monitoring with the command dacontrol -m.

The default value for this parameter is root.