Playing with auditd, I had a need to monitor file modifications for all files recursively underneath a given directory. According to the auditctl(8) man page there are two ways of writing a rule to do this:
-w /directory/ -p wa -a exit,always -F dir=/directory/ -F perm=wa |
The former rule is basically a shortcut for the latter rule; the latter rule is also potentially more expressive with the addition of extra -F conditions. I also needed to ideally exclude certain files and/or sub-directories in the directory from triggering the audit rule and it turns out you do this:
-a exit,never -F dir=/directory/directory-to-exclude/ -a exit,never -F path=/directory/file-to-exclude -a exit,always -F dir=/directory/ -F perm=wa |
According to this post order is important; list the exceptions before the main rule.