All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Timothy R. Chavez" <tinytim@us.ibm.com>
To: Jonathan Abbey <jonabbey@arlut.utexas.edu>
Cc: linux-audit@redhat.com
Subject: Re: File watching
Date: Tue, 20 Jun 2006 13:22:58 -0500	[thread overview]
Message-ID: <1150827779.19484.7.camel@localhost.localdomain> (raw)
In-Reply-To: <20060620181024.GA31078@arlut.utexas.edu>

On Tue, 2006-06-20 at 13:10 -0500, Jonathan Abbey wrote:
> On Tue, Jun 20, 2006 at 01:53:14PM -0400, Steve wrote:
> | I have audit set to monitor all system calls for a file.  I see some 
> | system calls for it, but I think some may be missing...  If I create the 
> | file using vi, I only see an open followed by a stat64.  Shouldn't there 
> | be a write of some type?  stat and open can't write to a file, can they?
> 
> Generally (and I'm speaking from my experience with Snare, here), one
> does not attempt to audit the actual read and write syscalls.  Mainly
> because there are far, far too many of them, and you need their
> performance to be as high as conceivably possible.

I think it has more to do with security relevancy than anything.  Audit
development has primarily been driven by CAPP and LSPP requirements for
the last couple of years.

-tim

> 
> Instead, you audit the file open, and make a note of whether the file
> was opened read-only, or for read/write.  If it was opened for
> read/write, one presumes that it was written to.
> 
>  Jon
> 
> | Thanks,
> | Steve
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

  reply	other threads:[~2006-06-20 18:23 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-06-20 17:53 File watching Steve
2006-06-20 18:10 ` Jonathan Abbey
2006-06-20 18:22   ` Timothy R. Chavez [this message]
2006-06-20 18:32     ` Steve
2006-06-20 18:40       ` Timothy R. Chavez
2006-06-20 18:52         ` Steve
2006-06-20 18:55           ` Michael C Thompson
2006-06-20 19:08             ` Steve
2006-06-20 19:56               ` Valdis.Kletnieks
2006-06-20 18:52         ` Michael C Thompson
2006-06-20 20:30 ` Amy Griffis
2006-06-20 20:41   ` Steve Grubb
2006-06-20 21:06   ` Casey Schaufler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1150827779.19484.7.camel@localhost.localdomain \
    --to=tinytim@us.ibm.com \
    --cc=jonabbey@arlut.utexas.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.