File watching

[Casey Schaufler]

--- Amy Griffis <amy.griffis at hp.com> wrote:

> It would be nice if it were possible to further
> filter the open calls,
> by allowing the rule to specify certain flags like
> O_CREAT, O_RDONLY,
> O_WRONLY or O_RDWR.  That could do quite a bit to
> eliminate
> unwanted log data.
> 
> What do others think, should we consider adding
> somthing like this?

The LSPP project may need to pipe in at some
point, depending on how they decide(d) to
address tranquility, especially on devices
that may be "allocated" by users.

In the UNIX B1/LSPP evaluations we found it
easier to provide the capability of auditing
file descriptor operations (read, write, seek,
fcheverything, ...) than to prove that they
weren't necessary. It's easy to win the
arguement that it's ok to write to a file
with mode 0 if you opened it when it was 666.
That arguement is much harder if the file
was TopSecret and is now Unclassified.



Casey Schaufler
casey at schaufler-ca.com