Hey All my first post, so forgive me if I am in the wrong area. Well here it goes...

I am trying to understand how I should audit various users, directories and files.

For example, I would like to audit all the things that a super-user would do (i.e. all open, closes and commands). However, for other users I would like to be more selective. Moreover, I would only care when these users move to various directories. I was thinking about using the ext3 journaling system but can not find good documentation. Please point to good documentation if any one knows.

If there are any other suggestions I would be happy to entertain those.


Sincerely,

Josef

Hello and welcome to LQ, hope you like it here. Fortunately you've posted in the right place. If you didn't it would be a problem either: anyone can report a post or thread (see the report button) to suggest a move to a subforum that's better suited. That said, are there any specific reasons for wanting a full audit trail like that? If any, what access restrictions and auditing measures are already in place?

I am trying to get a DCID 6/3 PL3 System correctly audited and I thought that the best way to audit the priviledged users (we call them maintainers)would be to understand what actual files that they would actually touch and place those files in a directory only accessible by them and a sys admin. Hence, to audit them I do not know what other resource that is at my disposal other than ext3.

Your comments.

Sincerely,

Josef

IIGC those specs include DAC, controlled data storage and distribution, file labelling, end to end file encryption and auditing. So. If it runs GNU/Linux and the system conforms to that kind of specs shouldn't Auditd and SELinux auditing be in place already? (Which should help you achieve what you want to audit)