[Gllug] Auditable filesystems

Robert McKay robert at mckay.com
Fri Aug 9 10:01:03 UTC 2002


On Fri, 9 Aug 2002, Tethys wrote:

> Does anyone know of any means of auditing file system activity? I'm
> asking because some files have mysteriously disappeared from our CVS
> repository. I've restored them from backup, but no one knows how they
> were removed. It'd be really handy to have a log[1] somewhere saying:

>   user xyz: process 12345 (/bin/rm): unlink of inode 54321 (/path/to/file)

> Not sure how this would be implemented, though. Directly in the
> filesystem?  But would that have access to user and process info?

Could do. It probably makes more sence to intercept the syscall though.
For one thing it'd be filesystem independant.

There seems to be a program that's been specifically designed to do this
sort of thing:

http://syscalltrack.sourceforge.net/when.html

Strait from the README:

2. When To Use It?
-----------------
Here are a few scenarios that will show what can be done with the system
call tracker. These scenarios actually happened to some of us on various
systems (not necessarily Linux) - and might have also happened to you.

-  you have an important file on the system mysteriously being deleted
once
   in a while, and you wish to know which process is deleting the file.

Sounds like just the ticket :)

-Robert.


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list