command missing

[Steve Grubb]

On Monday 23 April 2007 10:46, xi-chen-0 at northwestern.edu wrote:
> If I do "auditctl -a entry,always -w /etc/passwd", 

This is mixing syscall auditing with filesystem auditing. It would be more 
correct to do:

auditctl -w /etc/passwd

> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is logged in  the log file.

correct.

> However, if I do "auditctl -a entry,always -w /etc", 

This will watch the directory, not its contents. IOW, it will detect changes 
to the directory entries, not access to the files in the directories.

> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is not logged in the log file.

See above

> However, the "vim" command is recorded if I use vim to open
> that "/etc/passwd" file.

Because it modifies the dir entries.

> Is this the preassumed behavior for the auditing system 

In its current state, yes.

> ps: Is there a better way to monitor the whole filesystem behaviors, such
> as open, create, delete syscalls, instead of just monitoring a single
> directory?

Yes, you may use syscall auditing:

auditctl -a always,exit -S open -F devmajor=0x10 -F devminor=0x0F

You can use devmajor/minor to select the partition that you want to audit. You 
can also use -f  exit to select failed accesses.

We are working on a way to audit whole subtrees with audit rules, but right 
now syscall auditing is the only option.

-Steve