From owner-freebsd-hackers  Wed Oct 15 09:44:20 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA00420
          for hackers-outgoing; Wed, 15 Oct 1997 09:44:20 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from heron.doc.ic.ac.uk (rFRsWqi7OGmM+XHyVwNghNtyH6dPDYgw@heron.doc.ic.ac.uk [146.169.2.31])
          by hub.freebsd.org (8.8.7/8.8.7) with SMTP id JAA00413
          for <hackers@freebsd.org>; Wed, 15 Oct 1997 09:44:15 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak73.doc.ic.ac.uk [146.169.46.73] ([XYF4ImlfdGtkRq7n9oFOMu6U4ilo7X7P])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0xLWZ5-0004ub-00; Wed, 15 Oct 1997 17:44:55 +0100
Received: from njs3 by oak73.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0xLWYH-0007cs-00; Wed, 15 Oct 1997 17:44:05 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Wed, 15 Oct 1997 17:44:04 +0100
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Brian Mitchell <brian@firehouse.net>
Subject: Re: Question about file opens
Cc: c@doc.ic.ac.uk, hackers@freebsd.org
Message-Id: <E0xLWYH-0007cs-00@oak73.doc.ic.ac.uk>
Sender: owner-freebsd-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> On Wed, 15 Oct 1997, Charles Green wrote:
> 
> >         For a project I'm working on we're interested in tracking file opens,
> > and are interested in the best way of tracking them. Any ideas? Or is it
> > impossible without modifying the kernel? 
> 
> There are two ways, auditing (which freebsd doesnt have yet - see
> http://shell.firehouse.net/~brian/bsdc2audit for preliminary driver) or
> modifying the libc stubs. You could also use a preloaded shared lib to do
> it without rebuilding libc, if you wanted to.

Its probably worth noting that if the auditing is for security-related
purposes then modifying the libc stubs is worse than useless because
the system calls can be called directly by the hacker without libc.

Niall