[Gllug] Auditable filesystems
Matthew Kirkwood
matthew at hairy.beasts.org
Fri Aug 9 09:59:53 UTC 2002
On Fri, 9 Aug 2002, Tethys wrote:
> Does anyone know of any means of auditing file system activity? I'm
> asking because some files have mysteriously disappeared from our CVS
> repository. I've restored them from backup, but no one knows how they
> were removed. It'd be really handy to have a log[1] somewhere saying:
>
> user xyz: process 12345 (/bin/rm): unlink of inode 54321 (/path/to/file)
You could do it with something like Janus, or subterfugue:
* http://www.cs.berkeley.edu/~daw/janus/
* http://subterfugue.org/
though it'll be very slow (esp. as the Linux ptrace interface
doesn't let you say "just trap these syscalls").
There are a few kernel syscall auditing projects, though none
seemed particularly clean or complete. Alan seems to be
working on it:
* http://www.linux.org.uk/diary/
with particular (though dissatisfied) reference to SNARE:
* http://www.intersectalliance.com/projects/Snare/
Let me know if you play with any of these -- I have uses for
such things myself.
Matthew.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list