[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing filesystems for Linux?

On Thu, Oct 03, 2002 at 03:56:13PM -0400, Rechenberg, Andrew wrote:
> Does anyone know of any Linux-based filesystem that does file-level
> auditing and logs based on username?  Does ext2/3 do such auditing
> (stock or with patches)?  I would like a filesystem that can be told to
> audit and log file deletions and log the username that deleted the file
> (similar to auditing on NTFS).

This isn't really a filesystem issue.  Most attempts to do this sort
of thing at the more generic layer, such as in the VFS, or at the
system call layer.  There used to be a project, called auditd, that
would do what you wanted, but the domain name hert.org where the
project lived doesn't seem to be around any more.  

Given what you want to do, the LSM patches give you enough hooks that
it would be easy to write a module that would provide audit logs for
unlink system calls.  Alternatively, if you are more worried about
tracking accidents, you could just use LD_PRELOAD and create a shared
library which tracked unlink calls go glibc.  This doesn't protect you
against statically linked binaries, so it would track a determined
user, but it would track accidents.  So this isn't as good as the LSM
approach, but using an ld_preload has the advantage that it's
user-space only; it doesn't require any kernel patches.

> I know, I should be using file permissions to prevent this type of
> deletion from occurring, but in order for the database/application that
> we are running to operate correctly, file permissions have to be set
> -rw-rw-r--.  Since all files have those permissions, anyone in a
> particular group can write to a file and therefore can delete the file
> should they want to, or fat finger a command and delete it accidentally.

Why can't the database/application be setgid to the correct group, and
then you don't put any users in that group?  So users will be able to
run the database/application, but they won't be able to delete or
modify the file outside of using the application.

					- Ted

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]