Auditing File Changes
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Mon Jul 10 17:42:43 UTC 2006
On Mon, 10 Jul 2006 10:29:38 PDT, eklinger at uci.edu said:
> Good morning. Please forgive me if this has been asked, but will the file
> watch functionality be able to intercept writes and/or be able to
> intercept the actual changes to the file and report those, in addition to
> the fact that the file was modified?
No. In particular, logging the actual changes is out of the question,
because of the volume-of-data issue. Even logging the fact that writes
occurred is painful - that's why the filter usually used is "file being
opened with write permission" and make the assumption that if it opened
it for write, it will/did actually write to it....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060710/5982da98/attachment.sig>
More information about the Linux-audit
mailing list