File Monitoring

File Monitoring

[Steve]

I am monitoring open syscalls on /etc/shadow and am receiving alerts 
that I would like to suppress.  Is it possible to exclude alerts for 
files opened with particular commands?  For example, xlock opening the 
shadow file?  I didn't see an option like this in the auditctl man page, 
but I know those pages may be outdated.

Thanks,
Steve

File monitoring

[Jan Engelhardt]

Hello list,


as part of implementing a netboot solution, I observe that the client 
pulls about 128 MB of data (measured in iptraf, so it includes 
IPv4 headers too). You probably agree that this contributes to a boot 
that could possibly be sped up (even if the same distribution was to 
read from local disk). I wonder what files it actually accesses. Is 
there some utility to get a listing of all the files that were accessed? 
tcpdump provides a nice hint, e.g.

21:29:09.877364 IP 192.168.222.34.3204330825 > 192.168.222.1.2049: 116 
lookup fh 
Unknown/0100000100160005118A180EF8B50D0D000000000000001068616C2D6765742D  
"hal-get-property"

But at best I'd like to have the full pathname (to distinguish the 
fictional case /bin/cat vs /usr/bin/cat)


	-`J'
-- 

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: File monitoring

[Trond Myklebust]

On Sat, 2007-01-27 at 21:31 +0100, Jan Engelhardt wrote:
> Hello list,
> 
> 
> as part of implementing a netboot solution, I observe that the client 
> pulls about 128 MB of data (measured in iptraf, so it includes 
> IPv4 headers too). You probably agree that this contributes to a boot 
> that could possibly be sped up (even if the same distribution was to 
> read from local disk). I wonder what files it actually accesses. Is 
> there some utility to get a listing of all the files that were accessed? 
> tcpdump provides a nice hint, e.g.
> 
> 21:29:09.877364 IP 192.168.222.34.3204330825 > 192.168.222.1.2049: 116 
> lookup fh 
> Unknown/0100000100160005118A180EF8B50D0D000000000000001068616C2D6765742D  
> "hal-get-property"
> 
> But at best I'd like to have the full pathname (to distinguish the 
> fictional case /bin/cat vs /usr/bin/cat)

Filehandles do not normally contain path information, but
Ethereal/Wireshark does have the ability to use the above LOOKUP
information to construct a reverse map, so you might want to try that.

Otherwise, the only way to do it is to use something like the "strace"
utility in order to ptrace the open() syscalls.

  Trond


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs

Re: File monitoring

[Bill Rugolsky Jr.]

On Sat, Jan 27, 2007 at 09:31:42PM +0100, Jan Engelhardt wrote:
> as part of implementing a netboot solution, I observe that the client 
> pulls about 128 MB of data (measured in iptraf, so it includes 
> IPv4 headers too). You probably agree that this contributes to a boot 
> that could possibly be sped up (even if the same distribution was to 
> read from local disk). I wonder what files it actually accesses. Is 
> there some utility to get a listing of all the files that were accessed? 
> tcpdump provides a nice hint, e.g.
 
For testing, try using UNFS3 ( http://unfs3.sourceforge.net ), a userspace
NFSv3 server implementation, rather than the in-kernel knfsd server.  It should
be a simple matter to hack up the server code to log the client file accesses.

Regards,

	Bill Rugolsky

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
NFS maillist  -  NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs