From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: command missing
Date: Mon, 23 Apr 2007 11:05:25 -0400
Message-ID: <200704231105.25952.sgrubb@redhat.com>
References: <20070423144612.19CE11C@lulu.it.northwestern.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20070423144612.19CE11C@lulu.it.northwestern.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, xi-chen-0@northwestern.edu
List-Id: linux-audit@redhat.com

On Monday 23 April 2007 10:46, xi-chen-0@northwestern.edu wrote:
> If I do "auditctl -a entry,always -w /etc/passwd", 

This is mixing syscall auditing with filesystem auditing. It would be more 
correct to do:

auditctl -w /etc/passwd

> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is logged in  the log file.

correct.

> However, if I do "auditctl -a entry,always -w /etc", 

This will watch the directory, not its contents. IOW, it will detect changes 
to the directory entries, not access to the files in the directories.

> then "grep man /etc/passwd", then "ausearch -f passwd", the "grep" command
> is not logged in the log file.

See above

> However, the "vim" command is recorded if I use vim to open
> that "/etc/passwd" file.

Because it modifies the dir entries.

> Is this the preassumed behavior for the auditing system 

In its current state, yes.

> ps: Is there a better way to monitor the whole filesystem behaviors, such
> as open, create, delete syscalls, instead of just monitoring a single
> directory?

Yes, you may use syscall auditing:

auditctl -a always,exit -S open -F devmajor=0x10 -F devminor=0x0F

You can use devmajor/minor to select the partition that you want to audit. You 
can also use -f  exit to select failed accesses.

We are working on a way to audit whole subtrees with audit rules, but right 
now syscall auditing is the only option.

-Steve