[Gllug] stat'ing a file shows it was changed today and yet it has the date of a few days ago

Richard W.M. Jones rich at annexia.org
Wed Jun 22 11:14:52 UTC 2011


On Wed, Jun 22, 2011 at 11:46:36AM +0100, Nix wrote:
> On 22 Jun 2011, Richard W. M. Jones verbalised:
> 
> > On Tue, Jun 21, 2011 at 10:16:55AM +0100, Nix wrote:
> >> On 21 Jun 2011, John Edwards said:
> >> > There is a strange little hack called snoopy, which a preload shared
> >> > library that wraps calls to execve() and effectively allows you to
> >> > log all commands being run on a machine:
> >> > 	http://sourceforge.net/projects/snoopylogger/
> >> 
> >> If you actually want to do this globally, it makes more sense to hack an
> >> appropriate auditing call directly into the kernel. But that's a bit
> >> trickier, perhaps.
> >
> > Just run the audit daemon, shirley?
> 
> Ah, it can do this already, can it? I wouldn't know: I've never felt the
> need to run it.
> 
> > I'm told that some of our customers really use this to track every
> > tiny change to every file.
> 
> I'm sure reviewing those logs is utterly fascinating.

The comment from my colleague today (he actually worked on this) was:

  [Auditing every file change is] just about achievable if you
  want to spend as much on your audit infrastructure as you do on the
  rest of your infrastructure.

Rich.

-- 
Richard Jones
Red Hat
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list