On Monday 23 April 2007 10:46, [EMAIL PROTECTED] wrote: > If I do "auditctl -a entry,always -w /etc/passwd",
This is mixing syscall auditing with filesystem auditing. It would be more correct to do: auditctl -w /etc/passwd > then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command > is logged in the log file. correct. > However, if I do "auditctl -a entry,always -w /etc", This will watch the directory, not its contents. IOW, it will detect changes to the directory entries, not access to the files in the directories. > then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command > is not logged in the log file. See above > However, the "vim" command is recorded if I use vim to open > that "/etc/passwd" file. Because it modifies the dir entries. > Is this the preassumed behavior for the auditing system In its current state, yes. > ps: Is there a better way to monitor the whole filesystem behaviors, such > as open, create, delete syscalls, instead of just monitoring a single > directory? Yes, you may use syscall auditing: auditctl -a always,exit -S open -F devmajor=0x10 -F devminor=0x0F You can use devmajor/minor to select the partition that you want to audit. You can also use -f exit to select failed accesses. We are working on a way to audit whole subtrees with audit rules, but right now syscall auditing is the only option. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
