> have you considered using imon as a component in a host based intrusion
> detection system? to monitor inode access, of course...
To really do this, you'd want to make a couple of changes to imon. For one,
I'm not sure whether it will report file accesses; it might only do
modifications. (If so, it should be easy to change.)
For another, it does some monitoring of when program start & stop executing,
but it only reports when the number of running instances changes from 0 to 1
and back again. Also, I don't think you can get much (or any?) information
about who was running the command, or the PID; I think all you get is that
it was started or stopped, but that would be easy to change too. (It would
only make sense to do if you could get more information about the uid and/or
pid of the file being executed, though.)
Also, you might find this interesting; Erez Zadok has an example of doing
intrusion detection (for file access, not execution) with wrapfs at
http://www.cs.columbia.edu/~ezk/research/wrapfs/node4.html#SECTION00041000000000000000
--Rusty
--
Source code, list archive, and docs: http://oss.sgi.com/projects/fam/
To unsubscribe: echo unsubscribe fam | mail majordomo@xxxxxxxxxxx
|