On 14 Mar 2002, Bill Miller wrote:
On Thu, 2002-03-14 at 12:33, Rainer Link wrote:
But this method is limited to Samba only. What about the dnotify method? (see /usr/src/linux/Documentation/dnotify.txt or http://www.jedi.claranet.fr/eliott/ as an example). Or fam/imon? (http://oss.sgi.com/projects/fam/). Or as a kernel module? reminds me of the (old) auditd stuff from HERT. All stuff untested :)
I have begun looking into using the kernel's directory notification mechanisms for auditing purposes. I took the sample in dnotify.txt and compiled it. The problem I am running into is that in the siginfo_t structure, it passes back the file descriptor, and I have been unable to find a way to take a file descriptor and get the associated filename.
Actually, I think a LKML would be the best way. You may use the EventModule (http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/openxdsm/openxdsm/eventmodule...) as an example. Or DAZUKO from the german AV company H+BEDV, they release their kernel module as GPL officialy today at CeBIT, IIRC. Quote from the description: " Dazuko is an operating system "plug-in" that provides 3d-party applications an interface for file access control. It was originally developed by H+BEDV Datentechnik GmbH to be used for on-access virus scanning under Linux. Other uses include a file-access monitor/logger or external security implementations." Currently, Dazuko isn' mentioned on their web-page. Or take a look at ChangedFiles (http://www.bangstate.com/software.html#changedfiles) or do a search on freshmet.net. So, in short - there's a lot of code which could be used at least as en example :-) HTH bestr egards, Rainer Link (SuSE Labs) -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (www.amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)