[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Best means of capturing audit changes to a certain filename under a path subtree? aka wildcard file watches


In the wake of the kernel.org attack, we're brushing up our security at
Gentoo (I lead our infrastructure/IT team for Gentoo services). One of
our self-identified weaknesses is auditing of changes to files used
elsewhere in our automated verification processes.

The audit subsystem gives a great general way to do this, but I can't
identify how best to audit changes to a file when the entire path is not
known ahead of time.

It seems that it would best be accomplished with wildcards:

However, the last email on the ilst about wildcards, was from Steve,
back in March 2006, responding to somebody asking about wildcard
support, and Steve answered that it was potentially coming via a new
patch. I think that patch was inotify, and inotify doesn't support

Since it seems to not be natively possible, what is the most efficient
way of auditing those file changes? (They comprise some 2000 files out
of 60k in that tree).

Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2 gentoo org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]