-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote:
Hi,
This isn't a major problem for me, but since it's related to auditing
file access, I thought the security people would have an answer.
Every once in a while I get a bunch of errors because some process tried
to access my CDROM, triggering automount when there's no disk in the
drive.
I'd like to figure out what program is doing this. I've already spent a
lot of time searching through my cron logs, to no avail.
Is there any way to audit file access, so I can see (after the fact)
which program was responsible for trying to view "/var/autofs/misc/cd"?
A few things.
1. You can see which file descriptors are currently open by running
lsof. This won't help you after the fact though.
2. I Believe if you compile your kernel with the GRSecurity Patch
(http://www.grsecurity.org) you can audit successful file opens (as one
of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG
FILE!!!!!
3. Myself, I audit every command that gets executed. The log has a week
rotation period. In a week the log usually becomes around 90 MB (This
is just a log saying what run, not what files were opened).
Good luck!
- --
Phillip Hofmeister
PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6
D2rH/l1zgi1nQOwyXprVQWc=
=U7ap
-----END PGP SIGNATURE-----