[logs] How to log - commands and file access
James Turnbull
james at lovedthanlost.net
Fri Nov 9 18:21:56 PST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anton Chuvakin wrote:
>> - all file access by process and username in real-time (not static) or if
>> it's not possible, which process and username access to some files (or
>> directory) like /etc/shadow, /data/ ...
>
> Unix binary audit is the answer to this one. Specifically,
>
> - Solaris BSM audit
> - HPUX Audit
> - AIX <whatever they call it>
>
Built into Linux 2.6 kernels is an extensive audit capability - the
Linux Auditing System. Have a look at the auditd man page:
http://linux.die.net/man/8/auditd
It's pretty powerful and you can cut down the volume of data by
specifying some fairly precise policies.
Regards
James Turnbull
James Turnbull <james at lovedthanlost.net>
- ---
Author of Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)
- ---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHNRXD9hTGvAxC30ARAppZAJ9HXxovxGjG6vWscKKNVfBCwrMrCgCggHoc
FOJIHkFaGuaHx0aKsz1Onzc=
=BZ6h
-----END PGP SIGNATURE-----
More information about the LogAnalysis
mailing list