close(2) not being audited?
Steve Grubb
sgrubb at redhat.com
Fri Jan 26 17:37:40 UTC 2007
On Thursday 28 December 2006 16:58, Todd, Charles wrote:
> NISPOM 8-602 requires that CLOSE operations on security-relevant objects be
> logged.
Out of curiosity, what level of effort does the audit system need to go to?
Would auditing the close syscall be sufficient? Does dups() need to be
followed? What about descriptor inheritance? And passing descriptors between
processes via af_unix?
-Steve
More information about the Linux-audit
mailing list