From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Timothy R. Chavez" <tinytim@us.ibm.com>
Subject: Re: Auditing File Changes
Date: Mon, 10 Jul 2006 16:02:14 -0500
Message-ID: <1152565335.18406.28.camel@localhost.localdomain>
References: <20060710193214.95422.qmail@web36606.mail.mud.yahoo.com>
	<200607101942.k6AJgUo2016221@turing-police.cc.vt.edu>
	<1152561408.4275.17.camel@fryspc>
	<200607102051.k6AKpVWU018820@turing-police.cc.vt.edu>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6AL2WBb018839
	for <linux-audit@redhat.com>; Mon, 10 Jul 2006 17:02:32 -0400
Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151])
	by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id k6AL2QCB004750
	for <Linux-audit@redhat.com>; Mon, 10 Jul 2006 17:02:26 -0400
Received: from westrelay02.boulder.ibm.com (westrelay02.boulder.ibm.com
	[9.17.195.11])
	by e33.co.us.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id
	k6AL2Inv006510
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL)
	for <Linux-audit@redhat.com>; Mon, 10 Jul 2006 17:02:20 -0400
Received: from d03av01.boulder.ibm.com (d03av01.boulder.ibm.com [9.17.195.167])
	by westrelay02.boulder.ibm.com (8.13.6/NCO/VER7.0) with ESMTP id
	k6AL1RqY028554
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <Linux-audit@redhat.com>; Mon, 10 Jul 2006 15:01:28 -0600
Received: from d03av01.boulder.ibm.com (loopback [127.0.0.1])
	by d03av01.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	k6AL2FkZ006529
	for <Linux-audit@redhat.com>; Mon, 10 Jul 2006 15:02:15 -0600
In-Reply-To: <200607102051.k6AKpVWU018820@turing-police.cc.vt.edu>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Valdis.Kletnieks@vt.edu
Cc: Linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Mon, 2006-07-10 at 16:51 -0400, Valdis.Kletnieks@vt.edu wrote:
> On Mon, 10 Jul 2006 14:56:47 CDT, LC Bruzenak said:
> 
> (Addressing the actual design seperately)
> 
> > As Steve Grubb said, instrument the processes with trusted access.
> > Have file watches which note when certain "critical" files are opened
> > for write/append.
> > Have an audit analysis program which compares the trusted accesses to
> > the total accesses; the delta shows potentially interesting mods.
> 
> Ahh... but to find that delta, you don't really need to record the actual
> changes, do you?  You can (hopefully/presumably) then recover the old version
> of the modified file and diff it.

Assuming you were wanting to audit write()'s, maybe the record could
include the offset into the file where writing began and how many bytes
were written.  This obviously has some pretty major limitations in
usefulness, but would be more feasible than actually logging the
differences!

<snip>

-tim