I've been doing a lot of research on this, and I keep coming up with things
that don't work, have been abandoned, or are almost impossible to find or get
working. So I'll ask here. Maybe one of the ultra-elightened linux gods
will have a ready answer.
I want to be able to audit system calls - I want to log when files are opened,
created, changed, deleted, etc. Preferably I would like to do it without
having to apply kernel patches, using vanilla (or close to vanilla) kernel.
If this isn't possible, my net preference is to use a module. If this isn't
possible, well, I'll do what I have to.
I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and
how do I use it? /dev/audit seems not to work...
Thanks. If you can even point me a suitable FM to R, I'd be content.
--Russell
--
Russell Miller - [email protected] - Agoura, CA
* Russell Miller ([email protected]) wrote:
> I've been doing a lot of research on this, and I keep coming up with things
> that don't work, have been abandoned, or are almost impossible to find or get
> working. So I'll ask here. Maybe one of the ultra-elightened linux gods
> will have a ready answer.
You'll have better luck using linux-audit list.
> I want to be able to audit system calls - I want to log when files are opened,
> created, changed, deleted, etc. Preferably I would like to do it without
> having to apply kernel patches, using vanilla (or close to vanilla) kernel.
> If this isn't possible, my net preference is to use a module. If this isn't
> possible, well, I'll do what I have to.
No patches needed (although you will want 2.6.11 because the inode filter
was busted, and you'll likely want to use it), for opened anyway. You'll
need an additional auditfs patch for created/deleted/changed(for more
than just knowing open w/ write access) and it's not a stable patch yet.
> I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and
> how do I use it? /dev/audit seems not to work...
You'll need auditd, auditctl, and some rules to capture what you care
about.
For example:
To watch accesses to /etc/passwd (not creation/deletion events).
# auditd
# auditctl -a entry,possible -S open
# auditctl -a exit,always -S open -F inode=(inode of /etc/passwd)
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
On Thu, 03 Mar 2005 22:18:11 PST, Russell Miller said:
> I've been doing a lot of research on this, and I keep coming up with things
> I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and
> how do I use it? /dev/audit seems not to work...
oooh.. a victim^Wtester ;)
CONFIG_AUDIT is indeed what you're looking for, in combination with the audit-0.6.5
userspace end just released. Mailing list is [email protected], visit
http://www.redhat.com/mailman/listinfo/linux-audit for more info....
(Currently, there's still a add-on kernel patch for stuff that's not in
the mainstream yet - but that's hopefully temporary.. ;)