[RFC][PATCH] (#4) auditfs
Leigh Purdie
Leigh.Purdie at intersectalliance.com
Wed Feb 23 21:47:14 UTC 2005
On Wed, 2005-02-23 at 13:58 -0600, Klaus Weidner wrote:
> On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
> read() and write() aren't considered security relevant operations since
> they don't do any permission checks. From the CC point of view the
> interesting call is open(), and if that's properly handled it's enough.
>
> In most real-world scenarios you probably won't want to be auditing read
> and write operations individually anyway.
Agree with Klaus here. Although there are conceptually a few areas where
read & write auditing could be useful, practically, you're swamped with
so much useless data, that finding the useful information in amongst all
the other stuff is so much of a challenge that it's not worth turning
on.
Examples of possible positives:
* User accessed /etc/passwd in write mode... but did they actually
CHANGE it?
* Bandwidth hog needs to be identified, so look for bulk reads and
writes on network sockets.
.. but there are other ways of effectively getting the same information,
with much less system and administrator overhead (eg: tripwire, tcpdump)
- so I wouldn't recommend adding this in.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
More information about the Linux-audit
mailing list