Auditing File Changes
Timothy R. Chavez
tinytim at us.ibm.com
Mon Jul 10 20:55:51 UTC 2006
On Mon, 2006-07-10 at 14:56 -0500, LC Bruzenak wrote:
> On Mon, 2006-07-10 at 15:42 -0400, Valdis.Kletnieks at vt.edu wrote:
> ...
> >
> > Probably depends on what actual problem he's trying to solve by recording
> > all the changes.
>
> Most likely the same one I have been working on all my career:
>
> Security guy: Please deliver system with maximum security.
> System guy (me): What do you need to know?
> Security guy: Any and all changes to security-relevant files.
> System guy: Which ones are those?
> Security guy: All of 'em.
If you issue 100 writes() in between an open() and an exit(), what does
write() #97 tell you that write() #26 doesn't? You'd pretty much have
to log what changed per-write, which would consume a ridiculous amount
of space in addition to what would be consumed by logging write()'s in
general. I think, from a security stand point, it's more interesting to
know if, when, and by whom the file was open'ed() for write.
-tim
More information about the Linux-audit
mailing list