[OpenAFS-devel] Re: [OpenAFS] Better Logging and Access Control
Brent Johnson
brent.johnson@jpl.nasa.gov
Tue, 06 Mar 2001 18:18:42 -0800
Hello,
Actually, you can see reads, writes (and by whom) in the FileLog if you
turn on extra fileserver logging. On Solaris you'd run "kill -TSTP
<fileserver PID>" successively (each time you run the command it gives
more detail--I've tried up to three iterations). To restore normal
logging run "kill -HUP <fileserver PID>". Normal logging is also
restored when the fileserver restarts. This extra logging (esp. the 3rd
level/iteration) is quite voluminous.
-Brent
Sam Hartman wrote:
> >>>>> "Thomas" == Thomas Vincent <thomasv@apple.com> writes:
>
> Thomas> Hi Folks, Perhaps there is a way to do this , and I
> Thomas> haven't figured it out. It would be nice if there was
> Thomas> tcp_wrapper type support built in. With the granularity to
> Thomas> control access by ip , and go directory by directory or
> Thomas> user by user. Also logging seems to be in pretty bad
> Thomas> shape under afs. Are there any plans to say: Record reads,
> Thomas> writes, executes. To the point where I can log all a
> Thomas> persons actions if I so choose. Maybe there is a way to
> Thomas> do this, and I haven't figured it out yet.
>
> While IP ACL support is present, you should be aware that IP
> authentication in most environments is significantly less secure than
> the authentication provided by AFS's use of Kerberos.
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo.cgi/openafs-info