close(2) not being audited?
John D. Ramsdell
ramsdell at mitre.org
Fri Jan 26 18:03:20 UTC 2007
> Out of curiosity, what level of effort does the audit system need to
> go to? Would auditing the close syscall be sufficient? Does dups()
> need to be followed? What about descriptor inheritance? And passing
> descriptors between processes via af_unix?
Keeping track of the life cycle of file descriptors, though dups,
forks, and close on execs, is what Polgen's tracker does. Well,
almost--it doesn't handle passing descriptors between processes via
af_unix, and it doesn't handle the System V IPC calls invoked through
ipc. In short, once the audit parsing library is available, I'll use
it to feed the results of an ausearch to the tracker. It's output may
be of use in analyzing logs, in addition to being an important
component in our policy generation tool.
John
More information about the Linux-audit
mailing list