O crédito vai para Steve @ redhat, que respondeu à minha pergunta no linux-audit
A watch is really a syscall rule in disguise. If you place a watch on a directory, auditctl will turn it into:
-a exit,always -F dir=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatchThe
-Fdir field is recursive. However, if you just want to watch the directory entries, you can change that to-Fpath.-a exit,always -F path=/home/raven/public_html -F perm=war -F key=raven-pubhtmlwatchThis is not recursive and just watches the inode that the directory occupies.
Eu tive que adicionar a regra manualmente em /etc/audit/audit.rules e depois reiniciar auditd com
/etc/init.d/auditd restart
agora as regras são adicionadas e funciona muito bem!