On Sat, 2004-02-14 at 14:50, hanasaki wrote: > what package and deamon does the audit of every file executed? >
There is the snoopy package which logs all execve calls. > Phillip Hofmeister wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote: > > > >>Hi, > >> > >>This isn't a major problem for me, but since it's related to auditing > >>file access, I thought the security people would have an answer. > >> > >>Every once in a while I get a bunch of errors because some process tried > >>to access my CDROM, triggering automount when there's no disk in the > >>drive. > >> > >>I'd like to figure out what program is doing this. I've already spent a > >>lot of time searching through my cron logs, to no avail. > >> > >>Is there any way to audit file access, so I can see (after the fact) > >>which program was responsible for trying to view "/var/autofs/misc/cd"? > > > > > > A few things. > > > > 1. You can see which file descriptors are currently open by running > > lsof. This won't help you after the fact though. > > > > 2. I Believe if you compile your kernel with the GRSecurity Patch > > (http://www.grsecurity.org) you can audit successful file opens (as one > > of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG > > FILE!!!!! > > > > 3. Myself, I audit every command that gets executed. The log has a week > > rotation period. In a week the log usually becomes around 90 MB (This > > is just a log saying what run, not what files were opened). > > > > Good luck! > > > > - -- > > Phillip Hofmeister > > > > PGP/GPG Key: > > http://www.zionlth.org/~plhofmei/ > > wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.3 (GNU/Linux) > > > > iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6 > > D2rH/l1zgi1nQOwyXprVQWc= > > =U7ap > > -----END PGP SIGNATURE----- > > > > >
