close(2) not being audited?
Timothy R. Chavez
tim.chavez at linux.vnet.ibm.com
Fri Jan 26 23:00:18 UTC 2007
On Fri, 26 Jan 2007 17:19:33 -0500
Alexander Viro <aviro at redhat.com> wrote:
> On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote:
> > Actually, the exact wording says:
> >
> > "Successful and unsuccessful accesses to security-relevant objects and
> > directories"
> >
> > It does not specify exactly how that should be collected, but the
> > NISPOM does request that the audit record include who tried to access
> > it, what they tried to access, the time and date of the access attempt,
> > what command they were trying to run (rm, chmod, etc.), and if they
> > were successful or not. What happens behind the scenes after the
> > operating system takes over the request may not be of as much interest
> > unless collecting that info helps to provide the above details to the
> > audit record.
>
> Please, define "access". Consider the following sequence:
> on April 1st:
> fd = open(foo, O_RDWR);
> p = mmap(..., fd, ...);
> close(fd);
> two days later: modify area pointed to by p
> a month later: munmap(p, ...);
>
> What do you want in the log? More specifically, _when_ do you want it?
Write out a log when the last reference to the fd is put back... whether
that's from a close or an munmap.
-tim
More information about the Linux-audit
mailing list