Best means of capturing audit changes to a certain filename under a path subtree? aka wildcard file watches
Robin H. Johnson
robbat2 at gentoo.org
Thu Sep 15 07:03:06 UTC 2011
Hi,
In the wake of the kernel.org attack, we're brushing up our security at
Gentoo (I lead our infrastructure/IT team for Gentoo services). One of
our self-identified weaknesses is auditing of changes to files used
elsewhere in our automated verification processes.
The audit subsystem gives a great general way to do this, but I can't
identify how best to audit changes to a file when the entire path is not
known ahead of time.
It seems that it would best be accomplished with wildcards:
/var/db/pkg/*/*/CONTENTS
However, the last email on the ilst about wildcards, was from Steve,
back in March 2006, responding to somebody asking about wildcard
support, and Steve answered that it was potentially coming via a new
patch. I think that patch was inotify, and inotify doesn't support
wildcards.
Since it seems to not be natively possible, what is the most efficient
way of auditing those file changes? (They comprise some 2000 files out
of 60k in that tree).
--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2 at gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
More information about the Linux-audit
mailing list