[clug] File system logging/auditing

Red Phoenix intersect at gmail.com
Thu Oct 20 06:21:26 GMT 2005

Heya Damien,

'Snare' might be the thing you're looking for. As the developer, I might be
a bit biased, but it sounds right, based on your requirements.

Tripwire might be useful for you though, if all you want to do is detect
whether a file has been changed. Unfortunately, it won't tell you whether a
file has been accessed (or more to the point, if someone attempts access,
and fails).

Snare's a required part of the US DoD/DISA Common Operating Environment, is
used in quite many govt departments and organisations, and is included in a
few enterprise-focused distributions (eg: SGI Altix) by default.

We're hoping that the new audit subsystem in 2.6.12+ will take over most of
the kernel-level functionality in Snare, but if you're running
FC3/RHEL4/Debian Sarge/SuSE 9/SLES, or anything earlier than this, you might
want to check snare out.

Incidentally, we also have snare agents for a Windows/AIX/Irix/Tru64/Solaris
and a whole bunch of others. All open source.

http://www.intersectalliance.com/projects/index.html for more info.



psyex at netspace.net.au wrote:
> > Hi,
> >
> > Has anyone ever set up some way of logging/auditing file system events
> under
> > Linux? If so, how did you achieve this?
> >
> > I know that Windows will log many events (such as date, time, user, and
> type of
> > operation for reads, writes, stats, etc.) to the system log when the
> auditing
> > capability is enabled. A similar function to this under Linux is what
> I'm after.
> > Cheers,
> > Damien
> >
> >
> >
> >
> > ------------------------------------------------------------
> > This email was sent from Netspace Webmail: http://www.netspace.net.au
> >
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list