[OpenAFS-devel] Re: [OpenAFS] Better Logging and Access Control

Brent Johnson brent.johnson@jpl.nasa.gov
Tue, 06 Mar 2001 18:18:42 -0800


Hello,

Actually, you can see reads, writes (and by whom) in the FileLog if you
turn on extra fileserver logging.  On Solaris you'd run "kill -TSTP
<fileserver PID>" successively (each time you run the command it gives
more detail--I've tried up to three iterations).  To restore normal
logging run "kill -HUP <fileserver PID>".  Normal logging is also
restored when the fileserver restarts.  This extra logging (esp. the 3rd
level/iteration) is quite voluminous.

-Brent

Sam Hartman wrote:

> >>>>> "Thomas" == Thomas Vincent <thomasv@apple.com> writes:
>
>     Thomas> Hi Folks, Perhaps there is a way to do this , and I
>     Thomas> haven't figured it out.  It would be nice if there was
>     Thomas> tcp_wrapper type support built in. With the granularity to
>     Thomas> control access by ip , and go directory by directory or
>     Thomas> user by user.  Also logging seems to be in pretty bad
>     Thomas> shape under afs. Are there any plans to say: Record reads,
>     Thomas> writes, executes. To the point where I can log all a
>     Thomas> persons actions if I so choose.  Maybe there is a way to
>     Thomas> do this, and I haven't figured it out yet.
>
> While IP ACL support is present, you should be aware that IP
> authentication in most environments is significantly less secure than
> the authentication provided by AFS's use of Kerberos.
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo.cgi/openafs-info