Jason,
I believe you are asking for:
6490547 Provide fine-grained auditing in BSM
http://bugs.opensolaris.org/view_bug.do?bug_id=6490547
This has not yet been implemented and is currently in a "defer" state.
g
Jason King wrote:
> Briefly, my current understanding is that the solaris audit (whatever
> it's called today) support of auditing file activity (read, write,
> unlink, rename, chmod, chown, and truncate would be the stuff I'd be
> interested in) is limited to: all files, all non-root files (with
> either possibly controlled on a per user basis -- i.e. audit all files
> user 'foo' touches, but not user 'bar'). I'm curious if there's been
> any talk about allowing for the generation of audit events when
> certain operations happen to specific files (or directories).
>
> Perhaps it's because I've been doing way to much work on ERP systems
> the past few years, but a common scenario I keep coming across is
> something like this:
>
> 1. Application generates sensitive data into a directory on the server
> (payroll data, benefit enrollment data, etc.)
> 2. Some other process comes into deliver data to it's destination
> or the opposite:
> 1. Some external process (or a person) delivers sensitive files onto server
> 2. Files are swept up by ERP application into the ERP system.
>
> I'm guessing other applications probably have problems that map similarly.
>
> Now the first issue is of course securing the data while it sits on
> the filesystem. Simple enough a few ACLs to restrict access to only
> those accounts that need to read/write the files.
>
> The wrinkle comes in that at times, someone might need to go in and
> look at the files while there (perhaps due to errors, etc.). Again,
> simple enough to add read-only access to the files using ACLs.
>
> But what I'd really like to be able to do is have a record anytime
> stuff in those directories is being touched. Outside of those
> directories, I'm less interested, and in many cases would just be
> noise that'd have to be filtered.
>
> So I'm wondering if perhaps there is a way that I've just managed to
> miss, or if this has been something that's been considered (if so, any
> thought on the design)?
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
