-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 14 Feb 2004 at 01:31:52PM -0500, Wade Richards wrote: > Hi, > > This isn't a major problem for me, but since it's related to auditing > file access, I thought the security people would have an answer. > > Every once in a while I get a bunch of errors because some process tried > to access my CDROM, triggering automount when there's no disk in the > drive. > > I'd like to figure out what program is doing this. I've already spent a > lot of time searching through my cron logs, to no avail. > > Is there any way to audit file access, so I can see (after the fact) > which program was responsible for trying to view "/var/autofs/misc/cd"?
A few things. 1. You can see which file descriptors are currently open by running lsof. This won't help you after the fact though. 2. I Believe if you compile your kernel with the GRSecurity Patch (http://www.grsecurity.org) you can audit successful file opens (as one of the kernel config options). WARNING: BE PREPARED FOR A HUGE LOG FILE!!!!! 3. Myself, I audit every command that gets executed. The log has a week rotation period. In a week the log usually becomes around 90 MB (This is just a log saying what run, not what files were opened). Good luck! - -- Phillip Hofmeister PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.asc | gpg --import -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFALneuS3Jybf3L5MQRAiSoAJ0YDmSSEcigR0ymK53zeWDMkbD0/ACfd5w6 D2rH/l1zgi1nQOwyXprVQWc= =U7ap -----END PGP SIGNATURE-----
