Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Audit a user's file creations (or edits)

Status
Not open for further replies.
michael1212

michael1212

IS-IT--Management
Jun 14, 2005
36
ZA
Is there a way to log an event whenever a specific user creates (or edits/saves) any file? The Audit system does not seem to help in this regard. What is the easiest/best way to do this? The event logged should contain the time, filename, and command used.

Thanks!
 
Sort by date Sort by votes
To capture the user, time, filename and command every time a file is created or altered you'd need to have hooks into a lot of system calls. Even if possible, say through a kernel extension, there's a pretty good chance it would kill your system's performance.

If you can settle for just the filename and a time period, use tripwire as mrn suggested.

Rod Knowlton
Sometime Author
IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+ / CompTIA Security+

 
Upvote 0 Downvote
Or you could use "script" if you've loads of spare disk space.

See

man script

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

 
Upvote 0 Downvote
But be aware that script can be fairly easily circumvented by savvy users.
 
Upvote 0 Downvote
There's an article in the latest issue of Sys Admin (and online) titled Archiving Korn Shell History Files.

<shameless_self_promotion>
Ed Schaefer and John Spurgeon, the authors of the aforementioned article, have written a lot of good stuff, even if I did find a security hole in one of their articles and plug it myself. :)
</shameless_self_promotion>


Combine the article's techniques with tripwire, and you'll have most of what you want, except for protection from Ken's savvy users.

The best cure for a savvy user might be to recruit them to IT. :)

Rod Knowlton

IBM Certified Advanced Technical Expert pSeries and AIX 5L
CompTIA Linux+
CompTIA Security+

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

E
  • Locked
  • Question
What are reservations and how do you set them?
Replies
0
Views
350
emze
E
A
  • Locked
  • Question
Adding Existing LUN to New LPAR AIX
Replies
0
Views
394
Alvinghost
A
E
  • Locked
  • Question
AIX Power5 on 5.3- On varyonvg error "cannot be varied on because no good copies of the descriptor area"
Replies
1
Views
465
JenLM
J
Loic SARRAZIN
  • Locked
  • Question
Authentication order with NIS / ypbind
Replies
0
Views
202
Loic SARRAZIN
Loic SARRAZIN
jkc2023
  • Locked
  • Question
AIX TL and SP upgrade
Replies
0
Views
483
jkc2023
jkc2023

Part and Inventory Search

Sponsor

Back
Top