Re: close(2) not being audited?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: "Timothy R. Chavez" <tim.chavez@linux.vnet.ibm.com>
To: linux-audit@redhat.com
Subject: Re: close(2) not being audited?
Date: Fri, 26 Jan 2007 17:00:18 -0600	[thread overview]
Message-ID: <20070126170018.23fd1cd2@crumpet> (raw)
In-Reply-To: <20070126221933.GF14621@devserv.devel.redhat.com>

On Fri, 26 Jan 2007 17:19:33 -0500
Alexander Viro <aviro@redhat.com> wrote:

> On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote:
> > Actually, the exact wording says:
> > 
> > "Successful and unsuccessful accesses to security-relevant objects and
> > directories"
> > 
> > It does not specify exactly how that should be collected,  but the
> > NISPOM does request that the audit record  include who tried to access
> > it, what they tried to access, the time and date of the access attempt,
> > what command they were trying to run (rm, chmod, etc.),  and if they
> > were successful or not.  What happens behind the scenes after the
> > operating system takes over the request may not be of as much interest
> > unless collecting that info helps to provide the above details to the
> > audit record. 
> 
> Please, define "access".  Consider the following sequence:
> 	on April 1st:
> 	fd = open(foo, O_RDWR);
> 	p = mmap(..., fd, ...);
> 	close(fd);
> 	two days later: modify area pointed to by p
> 	a month later: munmap(p, ...);
> 
> What do you want in the log?  More specifically, _when_ do you want it?

Write out a log when the last reference to the fd is put back... whether
that's from a close or an munmap.

-tim

next prev parent reply	other threads:[~2007-01-26 23:00 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-28 21:58 close(2) not being audited? Todd, Charles
2006-12-30 14:36 ` Steve Grubb
2007-01-26 17:37 ` Steve Grubb
2007-01-26 18:03   ` John D. Ramsdell
2007-01-26 20:14   ` Wieprecht, Karen M.
2007-01-26 22:19     ` Alexander Viro
2007-01-26 23:00       ` Timothy R. Chavez [this message]
2007-01-26 23:01       ` Timothy R. Chavez
2007-01-26 23:20         ` Alexander Viro
2007-01-26 23:46           ` Timothy R. Chavez
2007-01-28 21:40             ` James Antill
2007-01-29 20:19               ` Timothy R. Chavez
2007-01-26 23:29         ` Alexander Viro
2007-01-27  0:03           ` Timothy R. Chavez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070126170018.23fd1cd2@crumpet \
    --to=tim.chavez@linux.vnet.ibm.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox