[clue] file-system activity logging

Dan Kulinski daniel at kulinski.net
Sun Jan 8 12:32:08 MST 2012 

Ok, we record all unlink calls on all file systems.

The search rule is this:
ausearch -sc unlink

This won't help you with your needs, my apologies for misleading you.  You
can probably record all file open calls and then use audit search to parse
them?

Dan Kulinski


On Sun, Jan 8, 2012 at 12:29 PM, Dan Kulinski <daniel at kulinski.net> wrote:

> Alright, I am unable to locate the rule set I was interested in.  I'll
> consult with my co-worker tomorrow and pull it out for you then.
>
> Dan Kulinski
>
> On Sun, Jan 8, 2012 at 12:06 PM, Dan Kulinski <daniel at kulinski.net> wrote:
>
>> I am pretty sure we have it monitoring the whole filesystem.  After lunch
>> I'll pull the rules.  As for overhead, we don't see much overhead and this
>> is a pretty high use CIFS server.  Of course I don't have hard numbers to
>> back this up just my gut feeling.
>>
>> Dan Kulinski
>>
>> On Sun, Jan 8, 2012 at 12:05 PM, David L. Willson <DLWillson at thegeek.nu>wrote:
>>
>>> Any idea the overhead involved? I have to do the auditing client-side on
>>> 12+ machines, because the NFS "server" isn't a standard box.
>>>
>>> And of course, some of the clients that must be audited, are production
>>> or mission-critical.
>>>
>>> And, I haven't read enough to say for sure, but it seems like auditd
>>> only wants to watch specific files, rather than all access in a whole
>>> file-system. Is that so?
>>>
>>>
>>> David L. Willson
>>> Trainer, Engineer, Enthusiast
>>> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
>>> tel://720.333.LANS
>>> Freedom is better when you earn it. Learn Linux.
>>>
>>> ------------------------------
>>>
>>> We use auditd to watch a system we export via CIFS.  Files kept
>>> disappearing and we had to be able to track it.  Turns out it was a user
>>> with a super sensitive mouse dragging folders to other folders.  You just
>>> need to setup rules and you will be able to query for file accesses on that
>>> mount.
>>>
>>> Dan Kulinski
>>>
>>> _______________________________________________
>>> clue mailing list: clue at cluedenver.org
>>> For information, account preferences, or to unsubscribe see:
>>> http://cluedenver.org/mailman/listinfo/clue
>>>
>>>
>>>
>>> _______________________________________________
>>> clue mailing list: clue at cluedenver.org
>>> For information, account preferences, or to unsubscribe see:
>>> http://cluedenver.org/mailman/listinfo/clue
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120108/d0b85b1c/attachment.html

More information about the clue mailing list