How to audit socket close system call?
LC Bruzenak
lenny at magitekltd.com
Fri Jan 9 18:22:58 UTC 2015
On 01/08/2015 04:55 PM, Alexander Viro wrote:
> Incidentally, that's a fine example of the reasons why syscall audit is useless
> for almost anything other than CYA. It's not that syscall tracing is useless -
> strace can be quite useful, actually. It's the bogus impression of coverage
> in case of watching what live system does - a whole lot of events simply do
> not map on "somebody had done a syscall with such and such arguments".
All true & well put; thank you.
The CYA factor IS important. But the translation magic from user actions
to syscalls (and back - from intent to result) is where it gets interesting.
The forensics challenge with the data we have is what some of us are
grappling with now (forever).
LCB
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2193 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150109/88741e09/attachment.p7s>
More information about the Linux-audit
mailing list