File Access Auditing
Hello, I have been looking for last few months for a good method of auditing access to files by my users. I use a SuSE Linux (presently 7.2) system with Samba and Netatalk as a file server. What I really need is the ability to say that at 3:32 PM on March 12th, user Debbie accessed the file /path/to/some/file/here. I have looked at Snare but on my test machine (which is a Single processor Celeron 333 instead of my production servers which are Dual Xeons), it makes the machine unusably slow. While I realize that a Celeron 333 is a far cry from a Dual Xeon, the Xeons have far more users then the test server, which has a single user. I have also looked at modifying the audit module which ships with Samba so that rather then print to syslog, it stores information into a Postgresql Database. This has two problems. The first being that the VFS interface to Samba has not been stabilized. The second being that it does not audit my Macs. I have looked at Tripwire, but that seems to really be geared towards static files and detecting changes that should not have happened rather then just logging accesses. Another problem I've seen with Snare is that it will most likely log file accesses when my backup program is running which will add 50-60,000 entries to the log file. That is a very bad thing as the log file will grow way too fast. Thank you for any suggestions you may have. Bill Miller Jr. jrmiller@cbnlottery.com
On 14 Mar 2002, Bill Miller wrote:
I have also looked at modifying the audit module which ships with Samba so that rather then print to syslog, it stores information into a Postgresql Database. This has two problems. The first being that the VFS interface to Samba has not been stabilized. The second being that it does not audit my Macs.
Unfortunately, VFS support is broken in all 2.2.x releases :( You'll find some diffs to fix it at http://cvsweb.openantivirus.org/samba-vscan. Moreover, IIRC our Samba RPMs have working VFS support since 2.2.1a (unfortunately, the VFS stuff changed from version to version and our VFS diff does not fix the audit example). Please have a look at my samba-vscan stuff, how to use VFS modules with all Samba 2.2.x and 3.0 alphaX releases. Or go to marc.theaimsgroup.com, then select the samba-technical ML archive and do a search for "VFS". Sb posted a patch for VFS incl. the audit example. HTH best regards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
On Thu, 14 Mar 2002, Rainer Link wrote: [..]
Postgresql Database. This has two problems. The first being that the VFS interface to Samba has not been stabilized. The second being that it does not audit my Macs. Unfortunately, VFS support is broken in all 2.2.x releases :( You'll find some diffs to fix it at http://cvsweb.openantivirus.org/samba-vscan. Moreover, IIRC our Samba RPMs have working VFS support since 2.2.1a (unfortunately, the VFS stuff changed from version to version and our VFS diff does not fix the audit example). [..]
Forgot to mention: Samba VFS itself seems to work stable. At least I know some companies which use VFS+samba-vscan on production. But this method is limited to Samba only. What about the dnotify method? (see /usr/src/linux/Documentation/dnotify.txt or http://www.jedi.claranet.fr/eliott/ as an example). Or fam/imon? (http://oss.sgi.com/projects/fam/). Or as a kernel module? reminds me of the (old) auditd stuff from HERT. All stuff untested :) best regards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
On Thu, 2002-03-14 at 12:33, Rainer Link wrote:
But this method is limited to Samba only. What about the dnotify method? (see /usr/src/linux/Documentation/dnotify.txt or http://www.jedi.claranet.fr/eliott/ as an example). Or fam/imon? (http://oss.sgi.com/projects/fam/). Or as a kernel module? reminds me of the (old) auditd stuff from HERT. All stuff untested :)
I have begun looking into using the kernel's directory notification mechanisms for auditing purposes. I took the sample in dnotify.txt and compiled it. The problem I am running into is that in the siginfo_t structure, it passes back the file descriptor, and I have been unable to find a way to take a file descriptor and get the associated filename. I know that /proc/<pid>/fd/<fd> points to the file but I am still not sure how that will help me get the filename of the file being read/written/created/deleted/etc. Bill Miller jrmiller@cbnlottery.com
On 14 Mar 2002, Bill Miller wrote:
On Thu, 2002-03-14 at 12:33, Rainer Link wrote:
But this method is limited to Samba only. What about the dnotify method? (see /usr/src/linux/Documentation/dnotify.txt or http://www.jedi.claranet.fr/eliott/ as an example). Or fam/imon? (http://oss.sgi.com/projects/fam/). Or as a kernel module? reminds me of the (old) auditd stuff from HERT. All stuff untested :)
I have begun looking into using the kernel's directory notification mechanisms for auditing purposes. I took the sample in dnotify.txt and compiled it. The problem I am running into is that in the siginfo_t structure, it passes back the file descriptor, and I have been unable to find a way to take a file descriptor and get the associated filename.
Actually, I think a LKML would be the best way. You may use the EventModule (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/openxdsm/openxdsm/eventmodule...) as an example. Or DAZUKO from the german AV company H+BEDV, they release their kernel module as GPL officialy today at CeBIT, IIRC. Quote from the description: " Dazuko is an operating system "plug-in" that provides 3d-party applications an interface for file access control. It was originally developed by H+BEDV Datentechnik GmbH to be used for on-access virus scanning under Linux. Other uses include a file-access monitor/logger or external security implementations." Currently, Dazuko isn' mentioned on their web-page. Or take a look at ChangedFiles (http://www.bangstate.com/software.html#changedfiles) or do a search on freshmet.net. So, in short - there's a lot of code which could be used at least as en example :-) HTH bestr egards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
participants (2)
-
Bill Miller
-
Rainer Link