Results 1 to 3 of 3

Thread: Audit file access on ext3 systems

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    177

    Audit file access on ext3 systems

    Hi all, I would like to know if is there any way to audit the last modification of a file in ext3. I know when was it thanks to stat, but, how could I know who was it?

    Thank you.
    Last edited by nihil; February 12th, 2007 at 12:22 PM. Reason: typo

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Only if SELinux was turned on. A regular linux lacks the audit trail.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Derek, it has been some time since I have dealt with this sort of thing, so please forgive me if I am missing the point.

    As I recall, ext3 is a journalling file system, and would have an underlying ext2 ?

    As such, I would expect the ext3 to contain "transactions" and that these would naturally have a timestamp, as one of the purposes of journalling is to facilitate rapid recovery if the main file gets screwed. You would need to select date/time parameters for this?

    I do not think that you will be able to find the user unless this information is deliberately collected by your file maintenance system.

    As the experience I have had has always been with financial systems, this was always the case and you would simply use a query utility or transaction look-up application.

    You need to look at your file layouts and see if they contain something like "record created by" and "record amended by".

    Hope that helps

    EDIT: Good point there SirDice, I had forgotten about Security Enhanced Linux. Come to think of it, the system I worked on was Unix rather than Linux and I have no idea what the file system was. It did have journalling though. I would guess that the only defaults were a unique record key and a timestamp.

    So, I would still approach it the same way: Are there fields to store the user data? and are they getting populated?
    Last edited by nihil; February 12th, 2007 at 12:20 PM.

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. C++ portability guide
    By tampabay420 in forum Programming Security
    Replies: 2
    Last Post: February 14th, 2003, 02:36 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. Twenty Most Critical Internet Security Vulnerabilities
    By virtaava in forum The Security Tutorials Forum
    Replies: 14
    Last Post: December 10th, 2001, 08:08 PM
  5. Batch File Tut
    By Badassatchu in forum Non-Security Archives
    Replies: 1
    Last Post: November 23rd, 2001, 11:13 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •