[clue] file-system activity logging
Dan Kulinski
daniel at kulinski.net
Sun Jan 8 12:06:31 MST 2012
I am pretty sure we have it monitoring the whole filesystem. After lunch
I'll pull the rules. As for overhead, we don't see much overhead and this
is a pretty high use CIFS server. Of course I don't have hard numbers to
back this up just my gut feeling.
Dan Kulinski
On Sun, Jan 8, 2012 at 12:05 PM, David L. Willson <DLWillson at thegeek.nu>wrote:
> Any idea the overhead involved? I have to do the auditing client-side on
> 12+ machines, because the NFS "server" isn't a standard box.
>
> And of course, some of the clients that must be audited, are production or
> mission-critical.
>
> And, I haven't read enough to say for sure, but it seems like auditd only
> wants to watch specific files, rather than all access in a whole
> file-system. Is that so?
>
>
> David L. Willson
> Trainer, Engineer, Enthusiast
> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
> tel://720.333.LANS
> Freedom is better when you earn it. Learn Linux.
>
> ------------------------------
>
> We use auditd to watch a system we export via CIFS. Files kept
> disappearing and we had to be able to track it. Turns out it was a user
> with a super sensitive mouse dragging folders to other folders. You just
> need to setup rules and you will be able to query for file accesses on that
> mount.
>
> Dan Kulinski
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
>
>
> _______________________________________________
> clue mailing list: clue at cluedenver.org
> For information, account preferences, or to unsubscribe see:
> http://cluedenver.org/mailman/listinfo/clue
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120108/2e2d522c/attachment.html
More information about the clue
mailing list