From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Timothy R. Chavez" Subject: Re: close(2) not being audited? Date: Fri, 26 Jan 2007 17:00:18 -0600 Message-ID: <20070126170018.23fd1cd2@crumpet> References: <200701261237.40345.sgrubb@redhat.com> <20070126221933.GF14621@devserv.devel.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (mx1.redhat.com [172.16.48.31]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0QN0R1e017980 for ; Fri, 26 Jan 2007 18:00:27 -0500 Received: from e4.ny.us.ibm.com (e4.ny.us.ibm.com [32.97.182.144]) by mx1.redhat.com (8.13.1/8.13.1) with ESMTP id l0QN0QMk018366 for ; Fri, 26 Jan 2007 18:00:27 -0500 Received: from d01relay04.pok.ibm.com (d01relay04.pok.ibm.com [9.56.227.236]) by e4.ny.us.ibm.com (8.13.8/8.12.11) with ESMTP id l0QN0Ket025947 for ; Fri, 26 Jan 2007 18:00:20 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay04.pok.ibm.com (8.13.8/8.13.8/NCO v8.2) with ESMTP id l0QN0K8P038154 for ; Fri, 26 Jan 2007 18:00:20 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id l0QN0KFd030671 for ; Fri, 26 Jan 2007 18:00:20 -0500 Received: from crumpet (dyn95340155.austin.ibm.com [9.53.40.155]) by d01av04.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id l0QN0Kqe030626 for ; Fri, 26 Jan 2007 18:00:20 -0500 In-Reply-To: <20070126221933.GF14621@devserv.devel.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, 26 Jan 2007 17:19:33 -0500 Alexander Viro wrote: > On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote: > > Actually, the exact wording says: > > > > "Successful and unsuccessful accesses to security-relevant objects and > > directories" > > > > It does not specify exactly how that should be collected, but the > > NISPOM does request that the audit record include who tried to access > > it, what they tried to access, the time and date of the access attempt, > > what command they were trying to run (rm, chmod, etc.), and if they > > were successful or not. What happens behind the scenes after the > > operating system takes over the request may not be of as much interest > > unless collecting that info helps to provide the above details to the > > audit record. > > Please, define "access". Consider the following sequence: > on April 1st: > fd = open(foo, O_RDWR); > p = mmap(..., fd, ...); > close(fd); > two days later: modify area pointed to by p > a month later: munmap(p, ...); > > What do you want in the log? More specifically, _when_ do you want it? Write out a log when the last reference to the fd is put back... whether that's from a close or an munmap. -tim