Auditing File Changes
LC Bruzenak
lenny at bruzenak.com
Mon Jul 10 19:56:47 UTC 2006
On Mon, 2006-07-10 at 15:42 -0400, Valdis.Kletnieks at vt.edu wrote:
...
>
> Probably depends on what actual problem he's trying to solve by recording
> all the changes.
Most likely the same one I have been working on all my career:
Security guy: Please deliver system with maximum security.
System guy (me): What do you need to know?
Security guy: Any and all changes to security-relevant files.
System guy: Which ones are those?
Security guy: All of 'em.
Basically my plan is this:
As Steve Grubb said, instrument the processes with trusted access.
Have file watches which note when certain "critical" files are opened
for write/append.
Have an audit analysis program which compares the trusted accesses to
the total accesses; the delta shows potentially interesting mods.
LCB.
--
LC Bruzenak
lenny at bruzenak.com
More information about the Linux-audit
mailing list