Jason King wrote:
> On Thu, Jan 22, 2009 at 7:50 AM, Glenn Brunette <Glenn.Brunette at sun.com>
> wrote:
>> Jason,
>>
>> I believe you are asking for:
>>
>> 6490547 Provide fine-grained auditing in BSM
>> http://bugs.opensolaris.org/view_bug.do?bug_id=6490547
>>
>> This has not yet been implemented and is currently in a "defer" state.
>>
>> g
>>
>> Jason King wrote:
>>> Briefly, my current understanding is that the solaris audit (whatever
>>> it's called today) support of auditing file activity (read, write,
>>> unlink, rename, chmod, chown, and truncate would be the stuff I'd be
>>> interested in) is limited to: all files, all non-root files (with
>>> either possibly controlled on a per user basis -- i.e. audit all files
>>> user 'foo' touches, but not user 'bar'). I'm curious if there's been
>>> any talk about allowing for the generation of audit events when
>>> certain operations happen to specific files (or directories).
>>>
>>> Perhaps it's because I've been doing way to much work on ERP systems
>>> the past few years, but a common scenario I keep coming across is
>>> something like this:
>>>
>>> 1. Application generates sensitive data into a directory on the server
>>> (payroll data, benefit enrollment data, etc.)
>>> 2. Some other process comes into deliver data to it's destination
>>> or the opposite:
>>> 1. Some external process (or a person) delivers sensitive files onto
>>> server
>>> 2. Files are swept up by ERP application into the ERP system.
>>>
>>> I'm guessing other applications probably have problems that map similarly.
>>>
>>> Now the first issue is of course securing the data while it sits on
>>> the filesystem. Simple enough a few ACLs to restrict access to only
>>> those accounts that need to read/write the files.
>>>
>>> The wrinkle comes in that at times, someone might need to go in and
>>> look at the files while there (perhaps due to errors, etc.). Again,
>>> simple enough to add read-only access to the files using ACLs.
>>>
>>> But what I'd really like to be able to do is have a record anytime
>>> stuff in those directories is being touched. Outside of those
>>> directories, I'm less interested, and in many cases would just be
>>> noise that'd have to be filtered.
>>>
>>> So I'm wondering if perhaps there is a way that I've just managed to
>>> miss, or if this has been something that's been considered (if so, any
>>> thought on the design)?
>>> _______________________________________________
>>> security-discuss mailing list
>>> security-discuss at opensolaris.org
>
> Yes, that's exactly it! Sounds like I'll have to wait (or if I get my
> other projects finished, propose something on my own).
You might find that File Event Notification (see PSARC/2007/027)
provides sufficient functionality for what you need.
Scott
--
Scott Rotondo
Principal Engineer, Solaris Security Technologies
President, Trusted Computing Group
Phone/FAX: +1 408 850 3655 (Internal x68278)
