I have been asked to audit all accesses to a certain directory, and its subdirectories, and have some questions. The directory structure is contained in its own filesystem.
- The filesystem is mounted at /abcfiles on a server running SLES 11 SP2 server1.
- /abcfiles is in the /etc/exports file to be exported via NFS.
- The filesystem is available to 7 other SLES 11 SP2 servers for read/write access via NFS.
- The server hosting the filesystem and 3 of the other servers are running WAS. There are 4 servers running IBM HTTP Server.
I need to monitor all accesses to the entire directory structure as it contains sensitive data. My research indicates that an audit rule to monitor a directory can't be wildcarded.
Question 1: If I set up an audit rule to monitor who accesses (read, write, execute, attribute changes) the main directory, will it also monitor that directory's subdirectories or do I have to code a specific rule for each subdirectory?
The majority of the accesses to the directory (and its subdirectories) will be from the application running under WAS. The application is allowed to create/delete and read/write any of the files. I am planning on using directory monitoring instead of syscall's (using the -w switch on the rules) as I think I have a better grasp on this method. I feel that the audit.log file will fill up in several minutes due to the application.
Question 2: Is there a way that I can have audit exclude the accesses from the application running under WAS?
Question 3: Would monitoring of syscall's be better? If so, what would the rule(s) look like?
I think that it is a given that I will need to have the same audit rules in place on every server that accesses the directory structure (even those who access via NFS). I read something about the possibility if using NFS logging to do what I need but haven't found much other than the mention
Question 4: If NFS auditing/logging is the method to use, would it log the accesses from the server hosting the filesystem? I think not but don't know anything about this.