I known a way to do what you ask for : it consists in analysing
in real time the records generated by the C2 audit system. But it's
not obvious and may be resources consuming. One difficulty is to get
good
docs on audit trail formats on some platforms (especially on AIX
and HP-UX... SUN has pretty good docs on that topic).
This lets you follow most of the kernel activity (fork, exec, open,
mkdir, rmdir, unlink, chown, chmod, chdir, chroot, close, dup,
socket, ...).
Using this technique, we were able to write a pretty neat daemon
that can tell you at any time what's going on on your system with
the same kind of information lsof povides with actually even more
details.
It is then possible to add triggers when special events are detected...
(We do not use commands such as AIX auditpr or SUN praudit because they
are not adequate).
At that time, it works well on AIX and Solaris and we will port it on
HP-UX soon. We also have an old version that works on SCO and I suppose
it would not be a great difficulty to do the same on UnixWare. On Linux
however, I don't known if there is a "standard" audit system...
Unfortunately, this tool is part of a commercial security product
and so I can't give you the source code. Sorry :-(
Regards,
J-L. Charton.
> Still searching info about my previous Post
> thanks
> > Hi,
> > does anybody knows how to implement a programm that let me know
> > the events
> > 1) a file just been created
> > 2) a file just been deleted
> > I want to determine which directories to track.
> > I must also be able to know that nobody is using the file, let say
> > to be sure that the file will be fully upload if it is created by ftp.
> > I'm expected to do that under AIX,LINUX,SCO OSR,UNIXWARE
> > I really appreciate to find a solution that is event based, not on a
> > polling strategy.
> > Any help will be appreciate.
> > Regards.
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
> Sent via Deja.com http://www.deja.com/
> Before you buy.
by