[Gllug] stat'ing a file shows it was changed today and yet it has the date of a few days ago
Richard W.M. Jones
rich at annexia.org
Wed Jun 22 11:14:52 UTC 2011
On Wed, Jun 22, 2011 at 11:46:36AM +0100, Nix wrote:
> On 22 Jun 2011, Richard W. M. Jones verbalised:
>
> > On Tue, Jun 21, 2011 at 10:16:55AM +0100, Nix wrote:
> >> On 21 Jun 2011, John Edwards said:
> >> > There is a strange little hack called snoopy, which a preload shared
> >> > library that wraps calls to execve() and effectively allows you to
> >> > log all commands being run on a machine:
> >> > http://sourceforge.net/projects/snoopylogger/
> >>
> >> If you actually want to do this globally, it makes more sense to hack an
> >> appropriate auditing call directly into the kernel. But that's a bit
> >> trickier, perhaps.
> >
> > Just run the audit daemon, shirley?
>
> Ah, it can do this already, can it? I wouldn't know: I've never felt the
> need to run it.
>
> > I'm told that some of our customers really use this to track every
> > tiny change to every file.
>
> I'm sure reviewing those logs is utterly fascinating.
The comment from my colleague today (he actually worked on this) was:
[Auditing every file change is] just about achievable if you
want to spend as much on your audit infrastructure as you do on the
rest of your infrastructure.
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list