From mboxrd@z Thu Jan 1 00:00:00 1970 From: LC Bruzenak Subject: Re: Auditing File Changes Date: Mon, 10 Jul 2006 14:56:47 -0500 Message-ID: <1152561408.4275.17.camel@fryspc> References: <20060710193214.95422.qmail@web36606.mail.mud.yahoo.com> <200607101942.k6AJgUo2016221@turing-police.cc.vt.edu> Mime-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id k6AJuxct026214 for ; Mon, 10 Jul 2006 15:56:59 -0400 Received: from fryspc.bruzenak.com (rrcs-24-242-137-194.sw.biz.rr.com [24.242.137.194]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k6AJun60019796 for ; Mon, 10 Jul 2006 15:56:51 -0400 In-Reply-To: <200607101942.k6AJgUo2016221@turing-police.cc.vt.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Valdis.Kletnieks@vt.edu Cc: Linux-audit@redhat.com List-Id: linux-audit@redhat.com On Mon, 2006-07-10 at 15:42 -0400, Valdis.Kletnieks@vt.edu wrote: ... > > Probably depends on what actual problem he's trying to solve by recording > all the changes. Most likely the same one I have been working on all my career: Security guy: Please deliver system with maximum security. System guy (me): What do you need to know? Security guy: Any and all changes to security-relevant files. System guy: Which ones are those? Security guy: All of 'em. Basically my plan is this: As Steve Grubb said, instrument the processes with trusted access. Have file watches which note when certain "critical" files are opened for write/append. Have an audit analysis program which compares the trusted accesses to the total accesses; the delta shows potentially interesting mods. LCB. -- LC Bruzenak lenny@bruzenak.com