Briefly, my current understanding is that the solaris audit (whatever it's called today) support of auditing file activity (read, write, unlink, rename, chmod, chown, and truncate would be the stuff I'd be interested in) is limited to: all files, all non-root files (with either possibly controlled on a per user basis -- i.e. audit all files user 'foo' touches, but not user 'bar'). I'm curious if there's been any talk about allowing for the generation of audit events when certain operations happen to specific files (or directories).
Perhaps it's because I've been doing way to much work on ERP systems the past few years, but a common scenario I keep coming across is something like this: 1. Application generates sensitive data into a directory on the server (payroll data, benefit enrollment data, etc.) 2. Some other process comes into deliver data to it's destination or the opposite: 1. Some external process (or a person) delivers sensitive files onto server 2. Files are swept up by ERP application into the ERP system. I'm guessing other applications probably have problems that map similarly. Now the first issue is of course securing the data while it sits on the filesystem. Simple enough a few ACLs to restrict access to only those accounts that need to read/write the files. The wrinkle comes in that at times, someone might need to go in and look at the files while there (perhaps due to errors, etc.). Again, simple enough to add read-only access to the files using ACLs. But what I'd really like to be able to do is have a record anytime stuff in those directories is being touched. Outside of those directories, I'm less interested, and in many cases would just be noise that'd have to be filtered. So I'm wondering if perhaps there is a way that I've just managed to miss, or if this has been something that's been considered (if so, any thought on the design)?
