Does anyone know of any Linux-based filesystem that does file-level auditing and logs based on username? Does ext2/3 do such auditing (stock or with patches)? I would like a filesystem that can be told to audit and log file deletions and log the username that deleted the file (similar to auditing on NTFS). I know, I should be using file permissions to prevent this type of deletion from occurring, but in order for the database/application that we are running to operate correctly, file permissions have to be set -rw-rw-r--. Since all files have those permissions, anyone in a particular group can write to a file and therefore can delete the file should they want to, or fat finger a command and delete it accidentally. I've Googled on this query, but have yet to find any relevant information. Any help would be greatly appreciated. Regards, Andy. Andrew Rechenberg Infrastructure Team, Sherman Financial Group arechenberg @ shermanfinancialgroup.com
Does anyone know of any Linux-based filesystem that does file-level auditing and logs based on username? Does ext2/3 do such auditing (stock or with patches)? I would like a filesystem that can be told to audit and log file deletions and log the username that deleted the file (similar to auditing on NTFS). I know, I should be using file permissions to prevent this type of deletion from occurring, but in order for the database/application that we are running to operate correctly, file permissions have to be set -rw-rw-r--. Since all files have those permissions, anyone in a particular group can write to a file and therefore can delete the file should they want to, or fat finger a command and delete it accidentally. I've Googled on this query, but have yet to find any relevant information. Any help would be greatly appreciated. Regards, Andy. Andrew Rechenberg Infrastructure Team, Sherman Financial Group arechenberg @ shermanfinancialgroup.com
Actually, 'database' is a loose term in this case. The database is UniVerse by IBM (Informix/Ardent, whomever owns the software today :) and the database software doesn't modify the files. Also, UniVerse isn't a 'traditional' database in the sense that there is one database file or set of files and all transactions act upon that one, or set of files. In UniVerse, each 'table' is it's own Linux file. When a user logs in they get a UniVerse 'shell.' That process is run in the user context and therefore any file accesses are done by that userid. Since multiple users need access to these 'tables,' each user must belong to a group and that group must have write access to those tables/files. That's why I want to be able to audit individual file deletions in case some makes a boo-boo or is malicious and wants to make me work weekends :) Thanks for your help. Andy. -----Original Message----- From: Martin Stricker [mailto:shugal@gmx.de] Sent: Thursday, October 03, 2002 8:17 PM To: Rechenberg, Andrew Subject: Re: Auditing filesystems for Linux? No need to ask twice... ;-)) "Rechenberg, Andrew" wrote:> > Does anyone know of any Linux-based filesystem that does file-level > auditing and logs based on username? Does ext2/3 do such auditing > (stock or with patches)?Not sure if this does what you need, but ext3 can be told to log file changes so they can be reverted. I never used this, so please look into the documentation. Since this is about a database: If all the files in question are written and read only by the database server software there is no need for rw-rw-r--, rw------- will be sufficient: Regardless which user s logged into the database, the files are accessed by the database server software, usually running under a database-specific system account (which prevents login at all). Of course the files must be owned by that user, if not, change the ownership with chown (as root). Best regards, Martin Stricker -- Homepage: http://www.martin-stricker.de/ Linux Migration Project: http://www.linux-migration.org/ Red Hat Linux 7.3 for low memory: http://www.rule-project.org/ Registered Linux user #210635: http://counter.li.org/
OK, I checked out grsecurity and it can audit file accesses if they are disallowed by ACL's, but it cannot log accesses if the permissions allow them. Does anyone know of any other kernel patches that allow auditing and logging individual file-level access? Thanks again, for everyone's help. Andy. -----Original Message----- From: Skylar Thompson [mailto:skylar@attglobal.net] Sent: Thursday, October 03, 2002 6:35 PM To: ext3-users@redhat.com Subject: Re: Auditing filesystems for Linux? On Thu, Oct 03, 2002 at 04:23:31PM -0400, Rechenberg, Andrew wrote:> > Does anyone know of any Linux-based filesystem that does file-level > auditing and logs based on username? Does ext2/3 do such auditing > (stock or with patches)? I would like a filesystem that can be toldto> audit and log file deletions and log the username that deleted thefile> (similar to auditing on NTFS). > > I know, I should be using file permissions to prevent this type of > deletion from occurring, but in order for the database/applicationthat> we are running to operate correctly, file permissions have to be set > -rw-rw-r--. Since all files have those permissions, anyone in a > particular group can write to a file and therefore can delete the file > should they want to, or fat finger a command and delete itaccidentally.> > I've Googled on this query, but have yet to find any relevant > information. Any help would be greatly appreciated.I believe the Grsecurity kernel patch can be told to do that. See http://www.grsecurity.net for more information. -- -- Skylar Thompson (skylar@attglobal.net) -- http://lizw090-016.resnet.wisc.edu/~skylar/, http://www.earlham.edu/~thompsk/
On Thu, Oct 03, 2002 at 03:56:13PM -0400, Rechenberg, Andrew wrote:> > Does anyone know of any Linux-based filesystem that does file-level > auditing and logs based on username? Does ext2/3 do such auditing > (stock or with patches)? I would like a filesystem that can be told to > audit and log file deletions and log the username that deleted the file > (similar to auditing on NTFS).This isn't really a filesystem issue. Most attempts to do this sort of thing at the more generic layer, such as in the VFS, or at the system call layer. There used to be a project, called auditd, that would do what you wanted, but the domain name hert.org where the project lived doesn't seem to be around any more. Given what you want to do, the LSM patches give you enough hooks that it would be easy to write a module that would provide audit logs for unlink system calls. Alternatively, if you are more worried about tracking accidents, you could just use LD_PRELOAD and create a shared library which tracked unlink calls go glibc. This doesn't protect you against statically linked binaries, so it would track a determined user, but it would track accidents. So this isn't as good as the LSM approach, but using an ld_preload has the advantage that it's user-space only; it doesn't require any kernel patches.> I know, I should be using file permissions to prevent this type of > deletion from occurring, but in order for the database/application that > we are running to operate correctly, file permissions have to be set > -rw-rw-r--. Since all files have those permissions, anyone in a > particular group can write to a file and therefore can delete the file > should they want to, or fat finger a command and delete it accidentally.Why can't the database/application be setgid to the correct group, and then you don't put any users in that group? So users will be able to run the database/application, but they won't be able to delete or modify the file outside of using the application. - Ted