February 12th, 2007, 10:23 AM
Audit file access on ext3 systems
Hi all, I would like to know if is there any way to audit the last modification of a file in ext3. I know when was it thanks to stat, but, how could I know who was it?
Last edited by nihil; February 12th, 2007 at 12:22 PM.
February 12th, 2007, 11:41 AM
Only if SELinux was turned on. A regular linux lacks the audit trail.
Experience is something you don't get until just after you need it.
February 12th, 2007, 11:51 AM
Hi Derek, it has been some time since I have dealt with this sort of thing, so please forgive me if I am missing the point.
As I recall, ext3 is a journalling file system, and would have an underlying ext2 ?
As such, I would expect the ext3 to contain "transactions" and that these would naturally have a timestamp, as one of the purposes of journalling is to facilitate rapid recovery if the main file gets screwed. You would need to select date/time parameters for this?
I do not think that you will be able to find the user unless this information is deliberately collected by your file maintenance system.
As the experience I have had has always been with financial systems, this was always the case and you would simply use a query utility or transaction look-up application.
You need to look at your file layouts and see if they contain something like "record created by" and "record amended by".
Hope that helps
EDIT: Good point there SirDice, I had forgotten about Security Enhanced Linux. Come to think of it, the system I worked on was Unix rather than Linux and I have no idea what the file system was. It did have journalling though. I would guess that the only defaults were a unique record key and a timestamp.
So, I would still approach it the same way: Are there fields to store the user data? and are they getting populated?
Last edited by nihil; February 12th, 2007 at 12:20 PM.
By GbinaryR in forum AntiVirus Discussions
Last Post: October 30th, 2008, 10:33 AM
By tampabay420 in forum Programming Security
Last Post: February 14th, 2003, 02:36 PM
By -DaRK-RaiDeR- in forum Newbie Security Questions
Last Post: December 14th, 2002, 08:38 PM
By virtaava in forum The Security Tutorials Forum
Last Post: December 10th, 2001, 08:08 PM
By Badassatchu in forum Non-Security Archives
Last Post: November 23rd, 2001, 11:13 PM