On 5/7/2010 2:14 PM, Kevin Walsh wrote: > Hello, > > I'm working on problems caused by users mistakenly leaving excessive > write permissions on the directories of their webpages. Does anyone > know if there is a best practices or other guidance document > somewhere? I realize the problem might not be so different from > webpages hosted on non-AFS filesystems. > > One solution we're considering is regularly scanning our webspace for > excessively naive ACLs, but this is quite time consuming. Is there a > faster way to search for specific ACLs than various incantations of > gfind to fs-listacl, perhaps something that dumps all the ACLs of a > volume, assuming they are kept on one spot? > > Thanks for any possible insights. > > ~Kevin
There are audit logs that you can turn on which will log every ACL change. Audit log output can be written to a pipe so that a process can scan then in real time. You can then have that process send e-mail, log warnings, or even alter the ACL if necessary. There will be a talk at the upcoming workshop describing how a combination of dump scanning and audit stream parsing was used to enforce export compliance regulations. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
