From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alexander Viro Subject: Re: close(2) not being audited? Date: Fri, 26 Jan 2007 17:19:33 -0500 Message-ID: <20070126221933.GF14621@devserv.devel.redhat.com> References: <200701261237.40345.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Wieprecht, Karen M." Cc: "Todd, Charles" , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote: > Actually, the exact wording says: > > "Successful and unsuccessful accesses to security-relevant objects and > directories" > > It does not specify exactly how that should be collected, but the > NISPOM does request that the audit record include who tried to access > it, what they tried to access, the time and date of the access attempt, > what command they were trying to run (rm, chmod, etc.), and if they > were successful or not. What happens behind the scenes after the > operating system takes over the request may not be of as much interest > unless collecting that info helps to provide the above details to the > audit record. Please, define "access". Consider the following sequence: on April 1st: fd = open(foo, O_RDWR); p = mmap(..., fd, ...); close(fd); two days later: modify area pointed to by p a month later: munmap(p, ...); What do you want in the log? More specifically, _when_ do you want it? Is that close() worth more than munmap()? All file access will be done at least a couple of days after it and file will remain open for more than a month, despite successful call of close(2). The main question here is what are those logs supposed to be useful for, beside the CYA exercises.