From owner-freebsd-questions@FreeBSD.ORG Thu Apr 21 14:19:57 2011 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F154D106564A for ; Thu, 21 Apr 2011 14:19:57 +0000 (UTC) (envelope-from matrix@itlegion.ru) Received: from corpmail.itlegion.ru (corpmail.itlegion.ru [84.21.226.211]) by mx1.freebsd.org (Postfix) with SMTP id 37A008FC08 for ; Thu, 21 Apr 2011 14:19:56 +0000 (UTC) Received: (qmail 86676 invoked from network); 21 Apr 2011 17:53:14 +0400 Received: from unknown (HELO ?192.168.0.12?) (192.168.0.12) by 84.21.226.211 with SMTP; 21 Apr 2011 17:53:14 +0400 Message-ID: <4DB036C0.3020203@itlegion.ru> Date: Thu, 21 Apr 2011 17:53:04 +0400 From: Artem Kuchin Organization: IT Legion User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; ru; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: questions@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: quoted-printable Cc: Subject: Security monitoring all file changes X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2011 14:19:58 -0000 Hello! We are running hosting servers and i think we need to monitor and log=20 all changes in filesystems (ftp log is written already, but we give shell access and also files can be changed by scripts), so, when = a client asks when the file/directory was changed or deleted and by whom we can answer that question. In what directtion should i look? Is Audit the thing for it? The problem with the whole idea is that i don't want to hog the raid=20 with huge log of what happened to the files every nanosecond. For example, file is opened, writen 1000 times with write() and the=20 closed. I don't want to get 1000 lines in the log. Something like: opened for write write repeated 1000 times (just one line with repetition counter) closed whould be nice, but if not possible, then just open and closed logged,=20 w/o write. Better than nothing. Or maybe it can be very optimized binary log. I have no idea what i am writing about :) Thanks in advance! Best regards, Artem --=20 =F3 =D5=D7=C1=D6=C5=CE=C9=C5=CD, =E1=D2=D4=C5=CD =EB=D5=DE=C9=CE =EB=CF=CD=D0=C1=CE=C9=D1 "=E1=CA =F4=C9 =EC=C5=C7=C9=CF=CE" www.itlegion.ru www.hostilla.ru +7 (495) 232-0338