audit question (fwd)

Logan Gabriel gersh at sonn.com
Thu Nov 8 19:18:47 GMT 2001 

Storeing device/inode numbers would be problematic because of hardlinks,
it is possiable to not know what file on the namespace was accessed.

Cacheing the name of the file on open seems like a more resonable
soultion, tho I can several headachs with this aswell.  Such as file /
directory renames.  What happens if you cache a directory name and then
that directory is renamed.  That will have to be caught aswell or further
path construction could be in accureate.  

However I think this is the best approach ive heard of to date.

Logan Gabriel
Senior Software Engineer 
Intrustion Prevention LLC
Gersh at EFnet | Logan0x05 at aim.


On Thu, 8 Nov 2001, Robert Watson wrote:

> One of the usual set of interesting questions raised by this post is how
> the audit system should identify objects in the file system namespace.  As
> has been discussed extensively in the past, the notion of uniquely
> identifying a file has some limitations in the context of a Sun-style VFS,
> due to hard links, renames, deletions, chroot(), and other fun activities.
> Some implementations I've seen cache the name of the file (with some
> reassembly to provide an absolute path of sorts) used on file open, and
> use that in audit records, or refer to it by file handle.  Others try to
> reconstruct out of the name cache (doesn't work on FreeBSD now that
> intermediate directory vnodes can be purged from the cache under load, and
> due to the multiple-name problem).  Others simple store device and inode
> number (doesn't work for file systems that don't use device or inode
> numbers).  Do we have any thoughts on what answer might work best for us?
> 
> Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
> robert at fledge.watson.org      NAI Labs, Safeport Network Services
> 
> On Thu, 1 Nov 2001, Ilmar S. Habibulin wrote:
> 
> > 
> > Someone already needs audit capability in freebsd.
> > 
> > ---------- Forwarded message ----------
> > Date: Wed, 31 Oct 2001 22:12:03 +0800
> > From: edwin chen <slack at suntop-cn.com>
> > To: freebsd-security at freebsd.org
> > Subject: audit question
> > 
> > hi, everybody
> > if I want log a message "who visit which file or directory, when is it happend£¿", what command I need ?
> > 
> > To Unsubscribe: send mail to majordomo at trustedbsd.org
> > with "unsubscribe trustedbsd-audit" in the body of the message
> > 
> 
> To Unsubscribe: send mail to majordomo at trustedbsd.org
> with "unsubscribe trustedbsd-audit" in the body of the message
> 

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message

More information about the trustedbsd-audit mailing list