Phillip Hofmeister wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote:
Hi,
This isn't a major problem for me, but since it's related to auditing file access, I thought the security people would have an answer.
Every once in a while I get a bunch of errors because some process tried to access my CDROM, triggering automount when there's no disk in the drive.
I'd like to figure out what program is doing this. I've already spent a lot of time searching through my cron logs, to no avail.
Is there any way to audit file access, so I can see (after the fact) which program was responsible for trying to view "/var/autofs/misc/cd"?
A few things.
1. You can see which file descriptors are currently open by running lsof. This won't help you after the fact though.
2. I Believe if you compile your kernel with the GRSecurity Patch (http://www.grsecurity.org) you can audit successful file opens (as one of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG FILE!!!!!
3. Myself, I audit every command that gets executed. The log has a week rotation period. In a week the log usually becomes around 90 MB (This is just a log saying what run, not what files were opened).
Good luck!
- -- Phillip Hofmeister
PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6 D2rH/l1zgi1nQOwyXprVQWc= =U7ap -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]