[clue] file-system activity logging

Dan Kulinski daniel at kulinski.net
Sun Jan 8 12:29:06 MST 2012


Alright, I am unable to locate the rule set I was interested in.  I'll
consult with my co-worker tomorrow and pull it out for you then.

Dan Kulinski

On Sun, Jan 8, 2012 at 12:06 PM, Dan Kulinski <daniel at kulinski.net> wrote:

> I am pretty sure we have it monitoring the whole filesystem.  After lunch
> I'll pull the rules.  As for overhead, we don't see much overhead and this
> is a pretty high use CIFS server.  Of course I don't have hard numbers to
> back this up just my gut feeling.
>
> Dan Kulinski
>
> On Sun, Jan 8, 2012 at 12:05 PM, David L. Willson <DLWillson at thegeek.nu>wrote:
>
>> Any idea the overhead involved? I have to do the auditing client-side on
>> 12+ machines, because the NFS "server" isn't a standard box.
>>
>> And of course, some of the clients that must be audited, are production
>> or mission-critical.
>>
>> And, I haven't read enough to say for sure, but it seems like auditd only
>> wants to watch specific files, rather than all access in a whole
>> file-system. Is that so?
>>
>>
>> David L. Willson
>> Trainer, Engineer, Enthusiast
>> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
>> tel://720.333.LANS
>> Freedom is better when you earn it. Learn Linux.
>>
>> ------------------------------
>>
>> We use auditd to watch a system we export via CIFS.  Files kept
>> disappearing and we had to be able to track it.  Turns out it was a user
>> with a super sensitive mouse dragging folders to other folders.  You just
>> need to setup rules and you will be able to query for file accesses on that
>> mount.
>>
>> Dan Kulinski
>>
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>>
>>
>> _______________________________________________
>> clue mailing list: clue at cluedenver.org
>> For information, account preferences, or to unsubscribe see:
>> http://cluedenver.org/mailman/listinfo/clue
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120108/d20bcc2a/attachment.html 


More information about the clue mailing list