11:05 a.m.
It was suggested to me that readers of this list might be interested in
hearing our use case for directory structure auditing (auditing all of the
files below a directory). So here it is.
We write digital asset management (management of photos, sound files, video
files, etc.) software for law enforcement agencies.
These agencies are not only interested in whether a digital asset is
untouched (for which we assign a hash), but also in who has had access to
any given file and what they did with it (read, write, ???.).
The number of files could be in the millions, far too many to add a rule for
each file.
Building a rule for each user is not only operationally undesirable it would
also mean that if those users actually logged into the server every file
they accessed would be logged, not just the files we care about.
We want/need to catch all access to the files in our directory structure
including any management/administrative access, therefore we would like
*all* users access to these files logged, not just a subset of common
(non-admin) users.
That is it. Not terribly complex.
If anyone has any questions I will do my best to answer them.
-Mont
2:22 p.m.
Amy and I talked about this briefly a week or so ago. Her current
patch will not support this functionality as-is but we think it is
possible to develop a follow-up patch that supports watching individual
directories. Its probably not possible to audit an entire directory
structure with a single watch but if one is willing to specify each
directory to be audited, then we might be able to provide that
capability.
-- ljk
Steve Grubb wrote:
On Thursday 17 November 2005 12:05, Mont Rothstein wrote:
>The number of files could be in the millions, far too many to add a rule
>for each file.
Amy, since the new file system audit code is using the inotify interface, will
this be possible?
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
3:58 p.m.
linux-audit-bounces(a)redhat.com wrote on 11/17/2005 02:22:15 PM:
Amy and I talked about this briefly a week or so ago. Her current
patch will not support this functionality as-is but we think it is
possible to develop a follow-up patch that supports watching individual
directories. Its probably not possible to audit an entire directory
structure with a single watch but if one is willing to specify each
directory to be audited, then we might be able to provide that
capability.
Would it be possible to have a watch that instructs a parent to watch its
children? Perhaps that is what you are saying here... If so, that would
be a very reasonable action.
What is the limiting aspect that would not allow you to watch deeper than
just 1 set of children? Obviously, this could be set up with some kind of
script or automation on the user's behalf if its not possible, but I can
see
Mont's request being a very common one.
Mike
-- ljk
Steve Grubb wrote:
> On Thursday 17 November 2005 12:05, Mont Rothstein wrote:
>
>>The number of files could be in the millions, far too many to add a
rule
>>for each file.
>
>
> Amy, since the new file system audit code is using the inotify
interface, will
> this be possible?
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
4:04 p.m.
For our needs it would have to be the full structure. For our largest
customers with millions of files, there are potentially 10's of thousands of
directories.
It might be possible to auto-create rules as the directories are created,
but I would worry about the impact of that many rules.
Of course, I am assuming that there is some way to enable this at the kernel
level that is less resource intensive than a rule per directory.
-Mont
1:22 p.m.
On Thu, Nov 17, 2005 at 03:58:42PM -0600, Michael C Thompson wrote:
linux-audit-bounces(a)redhat.com wrote on 11/17/2005 02:22:15 PM:
>
> Amy and I talked about this briefly a week or so ago. Her current
> patch will not support this functionality as-is but we think it is
> possible to develop a follow-up patch that supports watching
> individual directories. Its probably not possible to audit an
> entire directory structure with a single watch but if one is
> willing to specify each directory to be audited, then we might be
> able to provide that capability.
Would it be possible to have a watch that instructs a parent to
watch its children? Perhaps that is what you are saying here... If
so, that would be a very reasonable action.
Yes, that shouldn't be a problem.
What is the limiting aspect that would not allow you to watch deeper
than just 1 set of children?
I thought about this a little more, and realized it could be more of a
possibility than I originally thought.
To support this feature, I imagine we would take the following
approach. During each filesystem operation, walk the dentry tree from
the target object back to the root to re-construct the absolute path.
Then save this path in the audit_context for comparison with any
tree-based watches at syscall exit time. The tree-based watches would
need to be flagged as such in the filter rules.
Before we consider adding something like this, we would need to
investigate the performance impact of adding the requisite extra
processing to the filesystem-related syscalls.
Amy
Obviously, this could be set up with some kind of script or
automation on the user's behalf if its not possible, but I can see
Mont's request being a very common one.
Mike
6973
days inactive
6974
days old
linux-audit@lists.linux-audit.osci.io
5 comments
5 participants
participants (5)
-
Amy Griffis -
Linda Knippers -
Michael C Thompson -
Mont Rothstein -
Steve Grubb