Ansible find module fails to print files found matching pattern - search

My target server home directory has files like below:
$ cd ~
$ ls -la
total 84
drwxr--r-- 7 wluser wluser 4096 Jun 11 02:56 .
drwxr-xr-x. 32 root root 4096 Jun 10 03:20 ..
drwx------ 4 wluser wluser 25 May 26 12:17 .ansible
-rw------- 1 wluser wluser 34681 Jun 11 03:29 .bash_history
-rw-r--r-- 1 wluser wluser 18 Aug 21 2019 .bash_logout
-rw-r--r-- 1 wluser wluser 193 Aug 21 2019 .bash_profile
-rw-r--r-- 1 wluser wluser 231 Aug 21 2019 .bashrc
drwxrwxr-x 4 wluser wluser 27 Feb 17 04:48 .cache
drwxrwxr-x 4 wluser wluser 28 Feb 17 08:17 .config
-rw-r--r-- 1 wluser wluser 172 Feb 17 2020 .kshrc
-rw------- 1 wluser wluser 40 May 28 11:59 .lesshst
drwxr----- 3 wluser wluser 18 Feb 17 08:17 .pki
-rw------- 1 wluser wluser 1204 Jul 5 10:05 .sh_history
drwxr--r-- 2 wluser wluser 76 May 28 10:59 .ssh
-rw------- 1 wluser wluser 13314 Jun 11 02:56 .viminfo
I use the below ansible play to find all file matching pattern:
121 - find:
122 paths: "/home/wluser/"
123 recurse: no
124 file_type: any
125 patterns:
126 - "*.sh*"
127 - "*.bash*"
128 - "*.ksh*"
129 - "*.profile*"
130 - ".ssh"
131 register: to_copy
132
133
134 - debug:
135 msg: "FOUNDDDXX {{ to_copy}}"
The output shows that it did not match anything when i expected this to work and display all the file in the home directory.
TASK [find] ***************************************************************************************************
task path: /web/playbooks/ansibleuser/va_action.yml:121
ok: [remotehost1] => {
"changed": false,
"examined": 72,
"files": [],
"invocation": {
"module_args": {
"age": null,
"age_stamp": "mtime",
"contains": null,
"file_type": "any",
"follow": false,
"get_checksum": false,
"hidden": false,
"paths": [
"/home/wluser/"
],
"patterns": [
"*.sh*",
"*.bash*",
"*.ksh*",
"*.profile*",
".ssh"
],
"recurse": false,
"size": null,
"use_regex": false
}
},
"matched": 0,
"msg": ""
}
TASK [debug] **************************************************************************************************
task path: /web/playbooks/ansibleuser/va_action.yml:134
ok: [remotehost1] => {
"msg": "FOUNDDDXX {u'files': [], u'changed': False, 'failed': False, u'examined': 72, u'msg': u'', u'matched': 0}"
}
The pattern matching may be incorrect but the .ssh folder should have matched for sure however, that too is not found.
$ ansible --version
ansible 2.4.2.0
config file = /home/ansbladm/.ansible.cfg
python version = 2.7.5
Can you please suggest how can i display all files under the home directory matching the patterns ?


This works for me
tasks:
- name: find files
find:
paths: /home/myuserId
patterns:
- "(.*bash.*)$"
- "(.*ssh.*)$"
use_regex: yes
hidden: yes
register: list_of_files
- name: print files
debug:
msg: "{{ list_of_files.files }}"
Note that use_regex: true and hidden: true. Without that argument, It did not work for me as well. I see you missed that argument in your code. Try that and let me know what you see

Related

Hidden Files Not Being Copied On Mac with cp -r

Very very weird issue. I have a project that has hidden files on Mac OS 12.2.1, I am try to copy over. For example:
drwxr-xr-x 16 john staff 512 Jun 25 10:35 .
drwxr-xr-x 6 john staff 192 Jun 27 06:50 ..
-rw-r--r--# 1 john staff 6148 Jun 5 13:52 .DS_Store
drwxr-xr-x 14 john staff 448 Jun 26 20:29 .git
-rw-r--r-- 1 john staff 310 Jun 4 09:52 .gitignore
-rw-r--r-- 1 john staff 368 Jun 4 10:15 Dockerfile
-rw-r--r-- 1 john staff 3486 Jun 20 15:29 README.md
drwxr-xr-x 8 john staff 256 Jun 24 16:49 build
-rw-r--r-- 1 john staff 217 Jun 4 10:16 docker-compose.yml
drwxr-xr-x 817 john staff 26144 Jun 25 14:31 node_modules
-rw-r--r-- 1 john staff 1075501 Jun 25 14:31 package-lock.json
-rw-r--r-- 1 john staff 1185 Jun 25 14:31 package.json
-rw-r--r-- 1 john staff 82 Jun 4 10:30 postcss.config.js
drwxr-xr-x 9 john staff 288 Jun 5 14:00 public
drwxr-xr-x 18 john staff 576 Jun 20 13:42 src
-rw-r--r-- 1 john staff 2836 Jun 5 02:36 tailwind.config.js
Now I run the following command
sudo cp -R * ../otherfolder
And I've also tried a variation
cp -r * ../otherfolder
And the following is there:
drwxr-xr-x 13 john staff 416 Jun 27 07:54 .
drwxr-xr-x 6 john staff 192 Jun 27 06:50 ..
-rw-r--r-- 1 john staff 368 Jun 27 07:54 Dockerfile
-rw-r--r-- 1 john staff 3486 Jun 27 07:54 README.md
drwxr-xr-x 8 john staff 256 Jun 27 07:54 build
-rw-r--r-- 1 john staff 217 Jun 27 07:54 docker-compose.yml
drwxr-xr-x 817 john staff 26144 Jun 27 07:54 node_modules
-rw-r--r-- 1 john staff 1075501 Jun 27 07:54 package-lock.json
-rw-r--r-- 1 john staff 1185 Jun 27 07:54 package.json
-rw-r--r-- 1 john staff 82 Jun 27 07:54 postcss.config.js
drwxr-xr-x 9 john staff 288 Jun 27 07:54 public
drwxr-xr-x 18 john staff 576 Jun 27 07:54 src
-rw-r--r-- 1 john staff 2836 Jun 27 07:54 tailwind.config.js
None of the invisible files with a period in front have NOT been copied over. Any ideas?

cp -rpv . /path/to/other/folder/

Patch command not working - can't find file to patch

I'm unable to apply the following patch from github into my docker container. I get the error can't find file.
https://patch-diff.githubusercontent.com/raw/ManageIQ/manageiq-providers-ansible_tower/pull/267.patch
root#0fec7605d8b9 manageiq-providers-ansible_tower-d5ec9817e49c]# patch < 267.patch
can't find file to patch at input line 16
Perhaps you should have used the -p or --strip option?
The text leading up to this was:
--------------------------
|From 36f36d6a9985d8df27ae35cbe13bf47f16309a69 Mon Sep 17 00:00:00 2001
|From: Adam Grare <adam#grare.com>
|Date: Thu, 14 Oct 2021 10:55:39 -0400
|Subject: [PATCH 1/3] Fix merge_extra_vars with nil variables
|
|---
| .../ansible_tower/automation_manager/configuration_script.rb | 2 +-
| .../automation_manager/configuration_workflow.rb | 2 +-
| .../providers/ansible_tower/automation_manager/job.rb | 4 ++--
| 3 files changed, 4 insertions(+), 4 deletions(-)
|
|diff --git a/app/models/manageiq/providers/ansible_tower/automation_manager/configuration_script.rb b/app/models/manageiq/providers/ansible_tower/automation_manager/configuration_script.rb
|index d133a97..83bad07 100644
|--- a/app/models/manageiq/providers/ansible_tower/automation_manager/configuration_script.rb
|+++ b/app/models/manageiq/providers/ansible_tower/automation_manager/configuration_script.rb
--------------------------
File to patch: q
q: No such file or directory
Skip this patch? [y] ^C
The files are inside the following directory
/opt/manageiq/manageiq-gemset/bundler/gems/manageiq-providers-ansible_tower-d5ec9817e49c
I'm trying to apply patch from within this directory. All the files are inside the app directory.
[root#0fec7605d8b9 manageiq-providers-ansible_tower-d5ec9817e49c]# ls -l
total 92
-rw-r--r-- 1 root root 20923 Dec 18 09:28 267.patch
drwxrwxr-x 1 root root 4096 Nov 29 01:44 app
drwxrwxr-x 3 root root 4096 Nov 29 01:44 bin
drwxrwxr-x 2 root root 4096 Nov 29 01:44 bundler.d
-rw-r--r-- 1 root root 5734 Jul 13 18:25 CHANGELOG.md
drwxrwxr-x 2 root root 4096 Nov 29 01:44 config
-rw-r--r-- 1 root root 603 Jul 13 18:25 Gemfile
drwxrwxr-x 5 root root 4096 Nov 29 01:44 lib
-rw-r--r-- 1 root root 11358 Jul 13 18:25 LICENSE.txt
drwxrwxr-x 2 root root 4096 Nov 29 01:44 locale
-rw-r--r-- 1 root root 6630 Jul 13 18:25 manageiq-providers-ansible_tower.gemspec
-rw-r--r-- 1 root root 339 Jul 13 18:25 Rakefile
-rw-r--r-- 1 root root 1735 Jul 13 18:25 README.md

Copy fails in bash script even when I use `/bin/cp` and chmod 777 on the file

I wrote a bash program to setup new Debian install's.... but I can't figure this problem/error out...... I can't get it to copy a .bashrc file to a new users /home directory even with 777 permissions.
Here are the declarations and setting of the variables:
21 CURRENTDIR=/tmp/svaka
22 BASHRC=.bashrc
23 NANORC=.nanorc
24 BASHRCROOT=.bashrcroot
Here are the files the program uses and they are in the same directory the program runs from:
$ls -sail /tmp/svaka
total 110
21 1 drwxrwxrwx 3 root root 1024 Sep 13 05:21 .
2 3 drwxrwxrwt 13 root root 3072 Sep 13 05:20 ..
34 4 -rwxrwxrwx 1 root root 3250 Sep 11 23:27 .bashrc
36 3 -rwxrwxrwx 1 root root 2517 Sep 11 23:27 .bashrcroot
31 1 -rwxrwxrwx 1 root root 524 Sep 11 23:27 changePasswords.bash
28 2 -rwxrwxrwx 1 root root 1235 Sep 11 23:27 checkSystem
42 1 -rwxrwxrwx 1 root root 594 Sep 13 04:29 checuserpass.sh
39 0 -rwxrwxrwx 1 root root 0 Sep 11 23:28 cpSuccessCodes.txt
25 8 -rwxrwxrwx 1 root root 8048 Sep 11 23:27 debianConfig_1.bash
32 11 -rwxrwxrwx 1 root root 10326 Sep 13 05:21 debianConfig_awsome.3.2.sh
33 4 -rwxrwxrwx 1 root root 3971 Sep 11 23:27 debianConfig.sh
35 9 -rwxrwxrwx 1 root root 8481 Sep 11 23:27 debianConfig_version.3.0.sh
38 7 -rwxrwxrwx 1 root root 6970 Sep 13 05:07 debianConfigVersion3.1ERRORS.txt
340 1 -rw-r--r-- 1 root root 1024 Sep 13 05:13 .debianConfigVersion3.1ERRORS.txt.swp
40 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb
41 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.1
397 11 -rw-r--r-- 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.2
43 3 drwxrwxrwx 6 root root 3072 Sep 13 05:01 nanorc
26 9 -rwxrwxrwx 1 root root 8833 Sep 11 23:27 .nanorc
30 1 -rwxrwxrwx 1 root root 862 Sep 11 23:27 sources.list
37 2 -rwxrwxrwx 1 root root 1723 Sep 11 23:27 ssh_config
27 3 -rwxrwxrwx 1 root root 2573 Sep 11 23:27 sshd_config
24 1 -rwxrwxrwx 1 root root 134 Sep 11 23:27 testing3892739.sh
22 1 -rwxrwxrwx 1 root root 772 Sep 11 23:27 testing.sh
29 1 -rwxrwxrwx 1 root root 71 Sep 11 23:27 userlist.txt
23 1 -rwxrwxrwx 1 root root 71 Sep 11 23:27 users.txt
Here is the code:
300 for user in "$#"
301 do
302 if [ "$user" = root ]
303 then
304 continue
305 fi
306 sudo -i -u "$user" user="$user" CURRENTDIR="$CURRENTDIR" BASHRC="$BASHRC" bash <<'EOF'
307 echo "usersBashrc"
308 if /bin/cp -f "$CURRENTDIR/$BASHRC" "$HOME/.bashrc"
309 then
310 echo "Copy for $user \(bashrc\) succeeded!"
311 sleep 3
312 else
313 echo "Couldn't cp .bashrc for user $user"
314 exit 127
315 fi
316 chown $user:$user "$HOME/.bashrc" || exit 127
317 chmod 644 "$HOME/.bashrc"
318 wget https://raw.github.com/trapd00r/LS_COLORS/master/LS_COLORS -O "$HOME"/.dircolors
319 echo 'eval $(dircolors -b $HOME/.dircolors)' >> "$HOME"/.bashrc
320 EOF
321 done
I can get it to work if I add this line:
chown $user:$user "$CURRENTDIR"/.bashrc
just before I enter the sudo
QUESTION:
My question is, shouldn't I be able to copy the file because it has 777 permissions set read,write and execute even though I'm not the owner?
EDIT #1:
(root#HOST)-(15:11:52)-(/tmp/svaka)
$./system38.sh something71 something
+ for user in "$#"
+ '[' something71 = root ']'
+ chown something71:something71 /tmp/svaka/.bashrc
+ sudo -i -u something71 user=something71 CURRENTDIR=/tmp/svaka BASHRC= bash
usersBashrc
/bin/cp: -r not specified; omitting directory '/tmp/svaka/'
Couldn't cp .bashrc for user something71
(root#HOST)-(15:11:54)-(/tmp/svaka)
$ls -sail
total 136
21 1 drwxrwxrwx 3 root root 1024 Sep 13 15:11 .
2 3 drwxrwxrwt 13 root root 3072 Sep 13 15:11 ..
34 4 -rwxrwxrwx 1 something71 something71 3250 Sep 11 23:27 .bashrc
36 3 -rwxrwxrwx 1 root root 2517 Sep 11 23:27 .bashrcroot
31 1 -rwxrwxrwx 1 root root 524 Sep 11 23:27 changePasswords.bash
28 2 -rwxrwxrwx 1 root root 1235 Sep 11 23:27 checkSystem
42 1 -rwxrwxrwx 1 something78 something78 594 Sep 13 04:29 checuserpass.sh
39 0 -rwxrwxrwx 1 root root 0 Sep 11 23:28 cpSuccessCodes.txt
25 8 -rwxrwxrwx 1 root root 8048 Sep 11 23:27 debianConfig_1.bash
32 11 -rwxrwxrwx 1 root root 10426 Sep 13 14:32 debianConfig_awsome.3.3.sh
33 4 -rwxrwxrwx 1 root root 3971 Sep 11 23:27 debianConfig.sh
35 9 -rwxrwxrwx 1 root root 8481 Sep 11 23:27 debianConfig_version.3.0.sh
38 11 -rwxrwxrwx 1 root root 10661 Sep 13 09:06 debianConfigVersion3.1ERRORS.txt
40 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb
41 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.1
397 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.2
398 11 -rwxrwxrwx 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.3
340 11 -rw-r--r-- 1 root root 10658 Aug 3 2016 deb-multimedia-keyring_2016.8.1_all.deb.4
43 3 drwxrwxrwx 6 root root 3072 Sep 13 05:01 nanorc
26 9 -rwxrwxrwx 1 root root 8833 Sep 11 23:27 .nanorc
30 1 -rwxrwxrwx 1 root root 862 Sep 11 23:27 sources.list
37 2 -rwxrwxrwx 1 root root 1723 Sep 11 23:27 ssh_config
27 3 -rwxrwxrwx 1 root root 2573 Sep 11 23:27 sshd_config
400 1 -rwxr-xr-x 1 root root 793 Sep 13 15:11 system38.sh
24 1 -rwxrwxrwx 1 root root 134 Sep 11 23:27 testing3892739.sh
22 1 -rwxrwxrwx 1 root root 772 Sep 11 23:27 testing.sh
29 1 -rwxrwxrwx 1 root root 71 Sep 11 23:27 userlist.txt
23 1 -rwxrwxrwx 1 root root 71 Sep 11 23:27 users.txt
(root#HOST)-(15:12:05)-(/tmp/svaka)

I can get it working if I change the quoting on the variable.....
/bin/cp "$CURRENTDIR/$BASHRC" "$HOME/.bashrc"
to
/bin/cp "$CURRENTDIR"/"$BASHRC" "$HOME/.bashrc"
I'm new to programming so I don't have any explanations for this.

topojson command not added on npm install

I am getting an error when using topojson saying that the command cannot be found. I think the install has gone OK but there just isn't a command for topojson, but there are ones for topo2geo, topomerge etc. I'm using nvm if that is relevant and on mac.
Some Node details:
Grahams-MacBook-Air:data grahamfletcher$ ls -l /Users/grahamfletcher/.nvm/versions/node/v7.10.0/lib/node_modules/
total 0
drwxr-xr-x 3 grahamfletcher staff 102 14 Jul 22:01 #angular
drwxr-xr-x 7 grahamfletcher staff 238 10 Oct 02:58 create-react-app
drwxr-xr-x 11 grahamfletcher staff 374 14 Jul 23:35 eslint
drwxr-xr-x 18 grahamfletcher staff 612 25 Jul 01:34 nodemon
drwxr-xr-x 25 grahamfletcher staff 850 3 May 2017 npm
drwxr-xr-x 13 grahamfletcher staff 442 22 Nov 13:00 ogr2ogr
drwxr-xr-x 11 grahamfletcher staff 374 22 Nov 14:42 topojson
topojson is there, but...
Grahams-MacBook-Air:data grahamfletcher$ ls -l /Users/grahamfletcher/.nvm/versions/node/v7.10.0/bin
total 69760
lrwxr-xr-x 1 grahamfletcher staff 45 10 Oct 02:58 create-react-app -> ../lib/node_modules/create-react-app/index.js
lrwxr-xr-x 1 grahamfletcher staff 40 14 Jul 23:35 eslint -> ../lib/node_modules/eslint/bin/eslint.js
lrwxr-xr-x 1 grahamfletcher staff 70 15 Nov 11:10 geo2topo -> ../lib/node_modules/topojson/node_modules/topojson-server/bin/geo2topo
lrwxr-xr-x 1 grahamfletcher staff 39 14 Jul 22:01 ng -> ../lib/node_modules/#angular/cli/bin/ng
-rwxr-xr-x 1 grahamfletcher staff 35672760 3 May 2017 node
lrwxr-xr-x 1 grahamfletcher staff 42 25 Jul 01:34 nodemon -> ../lib/node_modules/nodemon/bin/nodemon.js
lrwxr-xr-x 1 grahamfletcher staff 38 3 May 2017 npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxr-xr-x 1 grahamfletcher staff 70 15 Nov 11:10 topo2geo -> ../lib/node_modules/topojson/node_modules/topojson-client/bin/topo2geo
lrwxr-xr-x 1 grahamfletcher staff 71 15 Nov 11:10 topomerge -> ../lib/node_modules/topojson/node_modules/topojson-client/bin/topomerge
lrwxr-xr-x 1 grahamfletcher staff 74 15 Nov 11:10 topoquantize -> ../lib/node_modules/topojson/node_modules/topojson-client/bin/topoquantize
lrwxr-xr-x 1 grahamfletcher staff 76 15 Nov 11:10 toposimplify -> ../lib/node_modules/topojson/node_modules/topojson-simplify/bin/toposimplify
No topojson here??
My path, which is saying something about a valid identifier. Is this an issue?
Grahams-MacBook-Air:data grahamfletcher$ export $PATH
-bash: export: `/Library/Frameworks/GDAL.framework/Programs:/opt/local/bin:/opt/local/sbin:/Users/grahamfletcher/.nvm/versions/node/v7.10.0/bin:/usr/local/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/local/bin:/usr/local/share/dotnet:/Library/Frameworks/Mono.framework/Versions/Current/Commands': not a valid identifier

why not insert a watch to the top level directory with auditctl?

With the man manual, I know some information about auditctl. But with the option -w path, I found some information as follow:
Insert a watch for the file system object at path. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning.
According to my understanding, I think the command auditctl -w / could not insert a watch to the top level directory. But with my test in CentOS, I found that is OK?
The result test information:
[centos#localhost ~]$ sudo auditctl -w /
[centos#localhost ~]$ sudo auditctl -l
-w / -p rwxa
[centos#localhost ~]$ cd /
[centos#localhost /]$ pwd
/
[centos#localhost /]$ ll
total 24
-rw-r--r--. 1 root root 0 Mar 13 17:01 1
lrwxrwxrwx. 1 root root 7 Mar 13 16:56 bin -> usr/bin
dr-xr-xr-x. 4 root root 4096 Mar 13 17:15 boot
drwxr-xr-x. 20 root root 3320 Mar 14 02:15 dev
drwxr-xr-x. 142 root root 8192 Mar 14 02:14 etc
drwxr-xr-x. 3 root root 20 Mar 13 17:12 home
lrwxrwxrwx. 1 root root 7 Mar 13 16:56 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Mar 13 16:56 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Nov 5 11:38 media
-rw-r--r--. 1 root root 0 Mar 13 21:40 mmm
drwxr-xr-x. 2 root root 6 Nov 5 11:38 mnt
drwxr-xr-x. 3 root root 16 Mar 13 17:08 opt
dr-xr-xr-x. 219 root root 0 Mar 14 02:14 proc
dr-xr-x---. 6 root root 234 Mar 13 11:53 root
drwxr-xr-x. 40 root root 1180 Mar 14 02:15 run
lrwxrwxrwx. 1 root root 8 Mar 13 16:56 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Nov 5 11:38 srv
dr-xr-xr-x. 13 root root 0 Mar 14 02:14 sys
drwxrwxrwt. 42 root root 4096 Mar 14 04:04 tmp
drwxr-xr-x. 2 root root 6 Mar 13 21:40 ttt
drwxr-xr-x. 13 root root 155 Mar 13 16:56 usr
drwxr-xr-x. 21 root root 4096 Mar 14 02:14 var
[centos#localhost /]$ sudo mkdir alex
[centos#localhost /]$ sudo touch alexzl
[centos#localhost /]$ ll
total 24
-rw-r--r--. 1 root root 0 Mar 13 17:01 1
drwxr-xr-x. 2 root root 6 Mar 14 04:17 alex
-rw-r--r--. 1 root root 0 Mar 14 04:17 alexzl
lrwxrwxrwx. 1 root root 7 Mar 13 16:56 bin -> usr/bin
dr-xr-xr-x. 4 root root 4096 Mar 13 17:15 boot
drwxr-xr-x. 20 root root 3320 Mar 14 02:15 dev
drwxr-xr-x. 142 root root 8192 Mar 14 02:14 etc
drwxr-xr-x. 3 root root 20 Mar 13 17:12 home
lrwxrwxrwx. 1 root root 7 Mar 13 16:56 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Mar 13 16:56 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Nov 5 11:38 media
-rw-r--r--. 1 root root 0 Mar 13 21:40 mmm
drwxr-xr-x. 2 root root 6 Nov 5 11:38 mnt
drwxr-xr-x. 3 root root 16 Mar 13 17:08 opt
dr-xr-xr-x. 218 root root 0 Mar 14 02:14 proc
dr-xr-x---. 6 root root 234 Mar 13 11:53 root
drwxr-xr-x. 40 root root 1180 Mar 14 02:15 run
lrwxrwxrwx. 1 root root 8 Mar 13 16:56 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Nov 5 11:38 srv
dr-xr-xr-x. 13 root root 0 Mar 14 02:14 sys
drwxrwxrwt. 42 root root 4096 Mar 14 04:04 tmp
drwxr-xr-x. 2 root root 6 Mar 13 21:40 ttt
drwxr-xr-x. 13 root root 155 Mar 13 16:56 usr
drwxr-xr-x. 21 root root 4096 Mar 14 02:14 var
[centos#localhost /]$ sudo ausearch -f /
.............
.............
time->Tue Mar 14 04:17:00 2017
type=PATH msg=audit(1489479420.957:1682): item=1 name="alex" objtype=CREATE
type=PATH msg=audit(1489479420.957:1682): item=0 name="/" inode=64 dev=fd:00 mode=040555 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0 objtype=PARENT
type=CWD msg=audit(1489479420.957:1682): cwd="/"
type=SYSCALL msg=audit(1489479420.957:1682): arch=c000003e syscall=83 success=no exit=-13 a0=7ffeb030b435 a1=1ff a2=1ff a3=7ffeb030a370 items=2 ppid=3444 pid=5955 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="mkdir" exe="/usr/bin/mkdir" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
.............
time->Tue Mar 14 04:17:39 2017
type=PATH msg=audit(1489479459.343:1915): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=33613563 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 objtype=NORMAL
type=PATH msg=audit(1489479459.343:1915): item=0 name="/usr/bin/sudo" inode=1461019 dev=fd:00 mode=0104111 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:sudo_exec_t:s0 objtype=NORMAL
type=CWD msg=audit(1489479459.343:1915): cwd="/"
type=EXECVE msg=audit(1489479459.343:1915): argc=3 a0="sudo" a1="touch" a2="alexzl"
type=BPRM_FCAPS msg=audit(1489479459.343:1915): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000000000000000 old_pi=0000000000000000 old_pe=0000000000000000 new_pp=0000001fffffffff new_pi=0000000000000000 new_pe=0000001fffffffff
type=SYSCALL msg=audit(1489479459.343:1915): arch=c000003e syscall=59 success=yes exit=0 a0=e21e00 a1=e99fb0 a2=e34670 a3=7ffe09a62fa0 items=2 ppid=3444 pid=5971 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="sudo" exe="/usr/bin/sudo" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
Why the man manual does not support insertion a watch to the top level directory, but the test is OK?

I think this problem is that it limit to insert a watch on the top level directory not the child directory or file. for example, if you want to insert a watch to root directory, it is prohibited, but it could add the watches to child directory and file at the same time.

Resources