Auditing File Changes
Casey Schaufler
casey at schaufler-ca.com
Mon Jul 10 19:32:14 UTC 2006
--- eklinger at uci.edu wrote:
> Good morning. Please forgive me if this has been
> asked, but will the file
> watch functionality be able to intercept writes
> and/or be able to
> intercept the actual changes to the file and report
> those, in addition to
> the fact that the file was modified?
As others have mentioned, the answer is no.
It might be an interesting project to create
a file system that does this level of audit.
Start with efs3's journaling mechanism and
retain all of the update information. True,
you'll run out of space in a hurry, but there
may be environments that would accept that.
Casey Schaufler
casey at schaufler-ca.com
More information about the Linux-audit
mailing list