[Gllug] Auditable filesystems

[Tethys]

Does anyone know of any means of auditing file system activity? I'm
asking because some files have mysteriously disappeared from our CVS
repository. I've restored them from backup, but no one knows how they
were removed. It'd be really handy to have a log[1] somewhere saying:

  user xyz: process 12345 (/bin/rm): unlink of inode 54321 (/path/to/file)

Not sure how this would be implemented, though. Directly in the
filesystem?  But would that have access to user and process info?
In the VFS? Elsewhere? Would something like fam(1) help? As far as
I can tell, fam needs you to preregister your interest in a given
file or directory, where I'm more interested in the entire filesystem.

Thoughts?

Tet

[1] Obviously, this could generate unfeasibly huge quantities of logging,
    so it should default to none, and could be configurable to only log
    certain actions (e.g., only tell me about unlink, rename and chmod
    operations, for example).

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug