Hi all,
I'm currently engaged for the first time with solaris audit.
There is the need to monitor action on files in specific directories which is something i was unable to find and documentation for.
Can anyone offer any suggestions or workarounds?
But it is possible to have auditing on for files (f[rwdc] classes) for specific user and using auditreduce extract the information then parse with grep/awk/perl to extract the specific information into plaintext file.
Thanks for the quick reply,
I was thinking as an alternative to monitor the files opened by applications (you need to run a process to deal with a file right?) using the ex class together with argv.
Does it sound reasonable ?
ex class will monitor exec and execve system calls and audit those.
Be careful if your apps are running as root (which they should not), since auditing every root exec or execve call will generate alot of logs.
Other then that argv will also audit everything that is passed to program as an argument.
Sounds reasonable if that is what you want to audit and it is ran by user not root.
Of course, test it, don't deploy auditing on production system before careful testing on test systems. Experiment with various classes to achive the needed results, then go forward.
If deployed wrong, it can halt your system if, for instance, there is no space left for audit logs (if configured like that).
Tracing execs and examining arg lists will not capture interactive file editing. For example:
vi unaudited_file
:e audited_file
Tracing file accesses (as Peasant suggested in post#2 in this thread) would enable you to find out who accessed (or modified) audited_file ; tracing execs and arg lists will not see that audited_file was referenced.
Thank you both for the replies, let's hope that the performance penalty of the audit on the server will be negligible (space is not an issue).
By the way is there some estimate on what impact file auditing would have on performance, i could not find much online...
It really depends on you workload and what is being done on the server which is being audited and the level of auditing.
As i said earlier, handle with care and measure performance.
Auditing can be a vector for DDOS attack, if you know every exec call is being logged you can easily generate gigabytes of logs thru application or command line (if you have account).