From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: close(2) not being audited?
Date: Fri, 26 Jan 2007 12:37:40 -0500
Message-ID: <200701261237.40345.sgrubb@redhat.com>
References: <C482FF98AE985A47B8C982FD429C9E3401370D58@daytonmsg2k3.AERO.BALL.COM>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <C482FF98AE985A47B8C982FD429C9E3401370D58@daytonmsg2k3.AERO.BALL.COM>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: "Todd, Charles" <CTODD@ball.com>
List-Id: linux-audit@redhat.com

On Thursday 28 December 2006 16:58, Todd, Charles wrote:
> NISPOM 8-602 requires that CLOSE operations on security-relevant objects be
> logged.

Out of curiosity, what level of effort does the audit system need to go to? 
Would auditing the close syscall be sufficient? Does dups() need to be 
followed? What about descriptor inheritance? And passing descriptors between 
processes via af_unix?

-Steve