From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing File Changes
Date: Tue, 11 Jul 2006 09:20:48 -0400
Message-ID: <200607110920.48392.sgrubb@redhat.com>
References: <20060710193214.95422.qmail@web36606.mail.mud.yahoo.com>
	<1152567463.18406.48.camel@localhost.localdomain>
	<3076.216.231.24.46.1152569340.squirrel@webmail.uci.edu>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <3076.216.231.24.46.1152569340.squirrel@webmail.uci.edu>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday 10 July 2006 18:09, eklinger@uci.edu wrote:
> The original idea was to prevent the user from opening the file in any
> text or hex editor and changing the file or the file's allowed operations,
> which would be stored in the file itself.

The access has already occured by the time the audit system tells you about 
it. You are simply too late. What you need its access control. The MCS 
capabilities in SE Linux/FC5 may help you. You can google for MCS.

-Steve