close(2) not being audited?
Alexander Viro
aviro at redhat.com
Fri Jan 26 22:19:33 UTC 2007
On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote:
> Actually, the exact wording says:
>
> "Successful and unsuccessful accesses to security-relevant objects and
> directories"
>
> It does not specify exactly how that should be collected, but the
> NISPOM does request that the audit record include who tried to access
> it, what they tried to access, the time and date of the access attempt,
> what command they were trying to run (rm, chmod, etc.), and if they
> were successful or not. What happens behind the scenes after the
> operating system takes over the request may not be of as much interest
> unless collecting that info helps to provide the above details to the
> audit record.
Please, define "access". Consider the following sequence:
on April 1st:
fd = open(foo, O_RDWR);
p = mmap(..., fd, ...);
close(fd);
two days later: modify area pointed to by p
a month later: munmap(p, ...);
What do you want in the log? More specifically, _when_ do you want it?
Is that close() worth more than munmap()? All file access will be done
at least a couple of days after it and file will remain open for more than
a month, despite successful call of close(2).
The main question here is what are those logs supposed to be useful for,
beside the CYA exercises.
More information about the Linux-audit
mailing list