Re: close(2) not being audited?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Alexander Viro <aviro@redhat.com>
To: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
Cc: "Todd, Charles" <CTODD@ball.com>, linux-audit@redhat.com
Subject: Re: close(2) not being audited?
Date: Fri, 26 Jan 2007 17:19:33 -0500	[thread overview]
Message-ID: <20070126221933.GF14621@devserv.devel.redhat.com> (raw)
In-Reply-To: <FC11D747323EB24493CDC753367EEB92019FA4D3@aplesnation.dom1.jhuapl.edu>

On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote:
> Actually, the exact wording says:
> 
> "Successful and unsuccessful accesses to security-relevant objects and
> directories"
> 
> It does not specify exactly how that should be collected,  but the
> NISPOM does request that the audit record  include who tried to access
> it, what they tried to access, the time and date of the access attempt,
> what command they were trying to run (rm, chmod, etc.),  and if they
> were successful or not.  What happens behind the scenes after the
> operating system takes over the request may not be of as much interest
> unless collecting that info helps to provide the above details to the
> audit record. 

Please, define "access".  Consider the following sequence:
	on April 1st:
	fd = open(foo, O_RDWR);
	p = mmap(..., fd, ...);
	close(fd);
	two days later: modify area pointed to by p
	a month later: munmap(p, ...);

What do you want in the log?  More specifically, _when_ do you want it?

Is that close() worth more than munmap()?  All file access will be done
at least a couple of days after it and file will remain open for more than
a month, despite successful call of close(2).

The main question here is what are those logs supposed to be useful for,
beside the CYA exercises.

next prev parent reply	other threads:[~2007-01-26 22:19 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-12-28 21:58 close(2) not being audited? Todd, Charles
2006-12-30 14:36 ` Steve Grubb
2007-01-26 17:37 ` Steve Grubb
2007-01-26 18:03   ` John D. Ramsdell
2007-01-26 20:14   ` Wieprecht, Karen M.
2007-01-26 22:19     ` Alexander Viro [this message]
2007-01-26 23:00       ` Timothy R. Chavez
2007-01-26 23:01       ` Timothy R. Chavez
2007-01-26 23:20         ` Alexander Viro
2007-01-26 23:46           ` Timothy R. Chavez
2007-01-28 21:40             ` James Antill
2007-01-29 20:19               ` Timothy R. Chavez
2007-01-26 23:29         ` Alexander Viro
2007-01-27  0:03           ` Timothy R. Chavez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070126221933.GF14621@devserv.devel.redhat.com \
    --to=aviro@redhat.com \
    --cc=CTODD@ball.com \
    --cc=Karen.Wieprecht@jhuapl.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox