[clue] file-system activity logging

Will Sterling will.sterling at gmail.com
Sun Jan 8 16:45:24 MST 2012


http://www.suse.com/documentation/sled10/pdfdoc/auditqs_sp2/auditqs_sp2.pdf

On Jan 8, 2012, at 2:57 PM, Will Sterling <will.sterling at gmail.com> wrote:

Have you looked at auditd?

On Jan 8, 2012, at 2:24 PM, Will Sterling <will.sterling at gmail.com> wrote:

Install HP-UX :-)

On Jan 8, 2012, at 11:32 AM, "David L. Willson" <DLWillson at thegeek.nu>
wrote:

Anyone got a strategy for recording every file open on a particular mount?

I've googled until my fingers bled, and tried lots and lots of things with
lsof. I'm pretty sure I'm barking up the wrong tree or attempting the
impossible.

Here's a relatively detailed use-case:

I'm on a system, which has a shared file-system mounted as NFSv3. This
system reads a small file. The file is only open for about a second.

I want to record that the file was opened for reading and ideally, the UID
that opened it. There are lots of bits of information that would be nice to
collect, but those are the basics.

Repeated runs of lsof are provably unlikely to happen to catch it. So,
running it every minute by cron is both wasteful AND ineffective... In
fact, I've tried a bunch of different ways of doing it and it's really hard
to catch this read.

Ideas?

David L. Willson
Trainer, Engineer, Enthusiast
RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
tel://720.333.LANS <//720.333.LANS>
Freedom is better when you earn it. Learn Linux.

_______________________________________________
clue mailing list: clue at cluedenver.org
For information, account preferences, or to unsubscribe see:
http://cluedenver.org/mailman/listinfo/clue
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cluedenver.org/pipermail/clue/attachments/20120108/6c8939d5/attachment.html 


More information about the clue mailing list