command missing
Steve Grubb
sgrubb at redhat.com
Mon Apr 23 15:05:25 UTC 2007
On Monday 23 April 2007 10:46, xi-chen-0 at northwestern.edu wrote:
> If I do "auditctl -a entry,always -w /etc/passwd",
This is mixing syscall auditing with filesystem auditing. It would be more
correct to do:
auditctl -w /etc/passwd
> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is logged in the log file.
correct.
> However, if I do "auditctl -a entry,always -w /etc",
This will watch the directory, not its contents. IOW, it will detect changes
to the directory entries, not access to the files in the directories.
> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is not logged in the log file.
See above
> However, the "vim" command is recorded if I use vim to open
> that "/etc/passwd" file.
Because it modifies the dir entries.
> Is this the preassumed behavior for the auditing system
In its current state, yes.
> ps: Is there a better way to monitor the whole filesystem behaviors, such
> as open, create, delete syscalls, instead of just monitoring a single
> directory?
Yes, you may use syscall auditing:
auditctl -a always,exit -S open -F devmajor=0x10 -F devminor=0x0F
You can use devmajor/minor to select the partition that you want to audit. You
can also use -f exit to select failed accesses.
We are working on a way to audit whole subtrees with audit rules, but right
now syscall auditing is the only option.
-Steve
More information about the Linux-audit
mailing list