From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: linux-audit: reconstruct path names from syscall events?
Date: Wed, 10 Oct 2012 19:00:40 -0400
Message-ID: <4547273.ji5OMfINXo@x2>
References: <20110917001215.GA961@zombie.hq.fstein.net>
	<20121009235446.GZ2616@ZenIV.linux.org.uk>
	<CAOH1cHkowcv6k0D2bkXFcjU3k4UtG2WX3nSwNa267qmODNfs_w@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAOH1cHkowcv6k0D2bkXFcjU3k4UtG2WX3nSwNa267qmODNfs_w@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, October 10, 2012 03:45:08 PM Mark Moseley wrote:
> On Tue, Oct 9, 2012 at 4:54 PM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> > Again, relying on pathnames for forensics (or security in general) is
> > a serious mistake (cue unprintable comments about apparmor and similar
> > varieties of snake oil).  And using audit as poor man's ktrace analog
> > is... misguided, to put it very mildly.
> 
> Caveat: I'm just a sysadmin, so this stuff is as darn near "magic" as
> I get to see on a regular basis, so it's safe to expect some naivety
> and/or misguidedness on my part :)
> 
> I'm just using it as a log of files that have been written/changed on
> moderately- to heavily-used systems. If there's another in-kernel
> mechanism that'd be better suited for that sort of thing (at least
> without adding a lot of overhead), I'd be definitely eager to know
> about it. It's a web hosting environment, with customer files all
> solely on NFS, so writes to the same directory can come from an
> arbitrary number of servers. When they get swamped with write
> requests, the amount of per-client stats exposed by our Netapp and
> Oracle NFS servers is often only enough to point us at a client server
> with an abusive user on it (but not much more, without turning on
> debugging). Having logs of who's doing writes would be quite useful,
> esp when writes aren't happening at that exact moment and wouldn't
> show up in tools like iotop. The audit subsystem seemed like the best
> fit for this kind of thing, but I'm more than open to whatever works.

The audit system is the best fit. But I think Al is saying there are some 
limitations. i know that Eric pushed some patches a while back that makes a 
stronger effort at collecting some of this information. What kernel are you 
using?

-Steve