Re: Auditing File Changes
On Mon, 2006-07-10 at 14:56 -0500, LC Bruzenak wrote:
On Mon, 2006-07-10 at 15:42 -0400, Valdis.Kletnieks(a)vt.edu wrote:
...
>
> Probably depends on what actual problem he's trying to solve by recording
> all the changes.
Most likely the same one I have been working on all my career:
Security guy: Please deliver system with maximum security.
System guy (me): What do you need to know?
Security guy: Any and all changes to security-relevant files.
System guy: Which ones are those?
Security guy: All of 'em.
If you issue 100 writes() in between an open() and an exit(), what does
write() #97 tell you that write() #26 doesn't? You'd pretty much have
to log what changed per-write, which would consume a ridiculous amount
of space in addition to what would be consumed by logging write()'s in
general. I think, from a security stand point, it's more interesting to
know if, when, and by whom the file was open'ed() for write.
-tim