[logs] How to log - commands and file access
Anton Chuvakin
anton at chuvakin.org
Fri Nov 9 12:09:56 PST 2007
> - all file access by process and username in real-time (not static) or if
> it's not possible, which process and username access to some files (or
> directory) like /etc/shadow, /data/ ...
Unix binary audit is the answer to this one. Specifically,
- Solaris BSM audit
- HPUX Audit
- AIX <whatever they call it>
Be prepared to experience a flood of data. If you are doing it per
user, it will be much easier. Some allow (and some don't allow) it on
a per file/per directory basis, use it!
You can then centralize the resulting binary audit files into a log
management tool for reporting, analysis, searching, safekeeping, etc.
P.S. Since I just mentioned a log management tool, I need to please
Tina and say: I work for LogLogic that makes such tools.
Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
More information about the LogAnalysis
mailing list