On Mon, 2006-07-10 at 16:51 -0400, Valdis.Kletnieks(a)vt.edu wrote:
On Mon, 10 Jul 2006 14:56:47 CDT, LC Bruzenak said:
(Addressing the actual design seperately)
> As Steve Grubb said, instrument the processes with trusted access.
> Have file watches which note when certain "critical" files are opened
> for write/append.
> Have an audit analysis program which compares the trusted accesses to
> the total accesses; the delta shows potentially interesting mods.
Ahh... but to find that delta, you don't really need to record the actual
changes, do you? You can (hopefully/presumably) then recover the old version
of the modified file and diff it.
Assuming you were wanting to audit write()'s, maybe the record could
include the offset into the file where writing began and how many bytes
were written. This obviously has some pretty major limitations in
usefulness, but would be more feasible than actually logging the
differences!
<snip>
-tim