Auditing File Changes
Timothy R. Chavez
tinytim at us.ibm.com
Mon Jul 10 21:02:14 UTC 2006
On Mon, 2006-07-10 at 16:51 -0400, Valdis.Kletnieks at vt.edu wrote:
> On Mon, 10 Jul 2006 14:56:47 CDT, LC Bruzenak said:
>
> (Addressing the actual design seperately)
>
> > As Steve Grubb said, instrument the processes with trusted access.
> > Have file watches which note when certain "critical" files are opened
> > for write/append.
> > Have an audit analysis program which compares the trusted accesses to
> > the total accesses; the delta shows potentially interesting mods.
>
> Ahh... but to find that delta, you don't really need to record the actual
> changes, do you? You can (hopefully/presumably) then recover the old version
> of the modified file and diff it.
Assuming you were wanting to audit write()'s, maybe the record could
include the offset into the file where writing began and how many bytes
were written. This obviously has some pretty major limitations in
usefulness, but would be more feasible than actually logging the
differences!
<snip>
-tim
More information about the Linux-audit
mailing list