Re: linux-audit: reconstruct path names from syscall events?

On Tue, Oct 9, 2012 at 4:54 PM, Al Viro <viro(a)zeniv.linux.org.uk&gt; wrote: > Again, relying on pathnames for forensics (or security in general) is > a serious mistake (cue unprintable comments about apparmor and similar > varieties of snake oil). And using audit as poor man's ktrace analog > is... misguided, to put it very mildly. Caveat: I'm just a sysadmin, so this stuff is as darn near "magic" as I get to see on a regular basis, so it's safe to expect some naivety and/or misguidedness on my part :) I'm just using it as a log of files that have been written/changed on moderately- to heavily-used systems. If there's another in-kernel mechanism that'd be better suited for that sort of thing (at least without adding a lot of overhead), I'd be definitely eager to know about it. It's a web hosting environment, with customer files all solely on NFS, so writes to the same directory can come from an arbitrary number of servers. When they get swamped with write requests, the amount of per-client stats exposed by our Netapp and Oracle NFS servers is often only enough to point us at a client server with an abusive user on it (but not much more, without turning on debugging). Having logs of who's doing writes would be quite useful, esp when writes aren't happening at that exact moment and wouldn't show up in tools like iotop. The audit subsystem seemed like the best fit for this kind of thing, but I'm more than open to whatever works.