* Russell Miller ([EMAIL PROTECTED]) wrote: > I've been doing a lot of research on this, and I keep coming up with things > that don't work, have been abandoned, or are almost impossible to find or get > working. So I'll ask here. Maybe one of the ultra-elightened linux gods > will have a ready answer.
You'll have better luck using linux-audit list. > I want to be able to audit system calls - I want to log when files are > opened, > created, changed, deleted, etc. Preferably I would like to do it without > having to apply kernel patches, using vanilla (or close to vanilla) kernel. > If this isn't possible, my net preference is to use a module. If this isn't > possible, well, I'll do what I have to. No patches needed (although you will want 2.6.11 because the inode filter was busted, and you'll likely want to use it), for opened anyway. You'll need an additional auditfs patch for created/deleted/changed(for more than just knowing open w/ write access) and it's not a stable patch yet. > I notice there is a CONFIG_AUDIT option. Is this what I am looking for, and > how do I use it? /dev/audit seems not to work... You'll need auditd, auditctl, and some rules to capture what you care about. For example: To watch accesses to /etc/passwd (not creation/deletion events). # auditd # auditctl -a entry,possible -S open # auditctl -a exit,always -S open -F inode=(inode of /etc/passwd) -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/