On Thu, Jan 22, 2009 at 7:50 AM, Glenn Brunette <Glenn.Brunette at sun.com> wrote: > > Jason, > > I believe you are asking for: > > 6490547 Provide fine-grained auditing in BSM > http://bugs.opensolaris.org/view_bug.do?bug_id=6490547 > > This has not yet been implemented and is currently in a "defer" state. > > g > > Jason King wrote: >> >> Briefly, my current understanding is that the solaris audit (whatever >> it's called today) support of auditing file activity (read, write, >> unlink, rename, chmod, chown, and truncate would be the stuff I'd be >> interested in) is limited to: all files, all non-root files (with >> either possibly controlled on a per user basis -- i.e. audit all files >> user 'foo' touches, but not user 'bar'). I'm curious if there's been >> any talk about allowing for the generation of audit events when >> certain operations happen to specific files (or directories). >> >> Perhaps it's because I've been doing way to much work on ERP systems >> the past few years, but a common scenario I keep coming across is >> something like this: >> >> 1. Application generates sensitive data into a directory on the server >> (payroll data, benefit enrollment data, etc.) >> 2. Some other process comes into deliver data to it's destination >> or the opposite: >> 1. Some external process (or a person) delivers sensitive files onto >> server >> 2. Files are swept up by ERP application into the ERP system. >> >> I'm guessing other applications probably have problems that map similarly. >> >> Now the first issue is of course securing the data while it sits on >> the filesystem. Simple enough a few ACLs to restrict access to only >> those accounts that need to read/write the files. >> >> The wrinkle comes in that at times, someone might need to go in and >> look at the files while there (perhaps due to errors, etc.). Again, >> simple enough to add read-only access to the files using ACLs. >> >> But what I'd really like to be able to do is have a record anytime >> stuff in those directories is being touched. Outside of those >> directories, I'm less interested, and in many cases would just be >> noise that'd have to be filtered. >> >> So I'm wondering if perhaps there is a way that I've just managed to >> miss, or if this has been something that's been considered (if so, any >> thought on the design)? >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >
Yes, that's exactly it! Sounds like I'll have to wait (or if I get my other projects finished, propose something on my own).
