Re: command missing
On Monday 23 April 2007 10:46, xi-chen-0(a)northwestern.edu wrote:
If I do "auditctl -a entry,always -w /etc/passwd",
This is mixing syscall auditing with filesystem auditing. It would be more
correct to do:
auditctl -w /etc/passwd
then "grep man /etc/passwd", then "ausearch -f
passwd", the "grep" command
is logged in the log file.
correct.
However, if I do "auditctl -a entry,always -w /etc",
This will watch the directory, not its contents. IOW, it will detect changes
to the directory entries, not access to the files in the directories.
then "grep man /etc/passwd", then "ausearch -f
passwd", the "grep" command
is not logged in the log file.
See above
However, the "vim" command is recorded if I use vim to
open
that "/etc/passwd" file.
Because it modifies the dir entries.
Is this the preassumed behavior for the auditing system
In its current state, yes.
ps: Is there a better way to monitor the whole filesystem behaviors,
such
as open, create, delete syscalls, instead of just monitoring a single
directory?
Yes, you may use syscall auditing:
auditctl -a always,exit -S open -F devmajor=0x10 -F devminor=0x0F
You can use devmajor/minor to select the partition that you want to audit. You
can also use -f exit to select failed accesses.
We are working on a way to audit whole subtrees with audit rules, but right
now syscall auditing is the only option.
-Steve