file access log

file access log

[Yasunori GOTO]

Hello.

I want to make the function which check the file access 
(create(), unlink(), and rename(), etc.)  
and take the log. 

When succeeding in the file access or becoming permission error,
 kernel gathers the log. 
Then,the security of Linux will improve. 

(For example, by recording the access of files in /etc directory by this function;
 The system administrator can understand a bad user to operate.)

I am examining how to make it now. 

Basic concepts are as follows. 
  - I think that the layer of access check is VFS in the kernel. 
  - Information on the access check is written in the buffer in kernel,
     and the record is taken out from kernel buffer by logging daemon. 
  - I will make the tool which retrieves and displays the gathered log later. 

Thanks.

--------------------------------------
  Yasunori Goto
    Development Department 2  
    Basis Software Division
    Software Group      
    FUJITSU LIMITED
    E-mail: y-goto@jp.fujitsu.com

Re: file access log

[john slee]

On Thu, Aug 09, 2001 at 11:45:00AM +0900, Yasunori GOTO wrote:
> I want to make the function which check the file access
> (create(), unlink(), and rename(), etc.)
> and take the log.

there are many applications for this sort of kernel interface.  sgi have
an implementation of it called imon, but the patches don't seem to be
maintained anymore.

what sort of interface were you considering?  my first impression was to
create something similar to route sockets, but i'm not really a kernel
hacker...  i believe imon+fam used something like this but also using
fcntl() hacks, which to me seems a bit ugly... anyone want to correct
me? :-/

j.

-- 
"Bobby, jiggle Grandpa's rat so it looks alive, please" -- gary larson