RE: close(2) not being audited? (Wieprecht, Karen M.)

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Randy Zagar <zagar@arlut.utexas.edu>
To: linux-audit@redhat.com
Subject: RE: close(2) not being audited? (Wieprecht, Karen M.)
Date: Mon, 29 Jan 2007 13:59:27 -0600	[thread overview]
Message-ID: <45BE521F.9040806@arlut.utexas.edu> (raw)
In-Reply-To: <20070127170020.81DEA733B3@hormel.redhat.com>

Actually, this statement was amended in a later Industrial Security 
Letter...

The comments from the ISL have been incorporated into our NISPOM docs 
and include the following:

    8.602. Audit Capability

    (c) Successful and unsuccessful accesses to security-relevant
    objects and directories, including creation, open, close,
    modification, and deletion.

    55. Question: Paragraph 8-602a(1)(c) can generate upwards to 100
    audit entries for each successful access to security-relevant
    objects and/or directories.  From a security standpoint, is this
    information of enough importance to generate voluminous amounts of
    auditing data?

    Answer: No.  Only unsuccessful accesses need to be audited.

Now I can easily imagine that Sarbanes-Oxley or HIPPA may require 
auditing successful accesses to SROs, but the NISPOM no longer requires 
it...

-Randy Zagar

linux-audit-request@redhat.com wrote:

> Date: Fri, 26 Jan 2007 15:14:10 -0500
>
>From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
>Subject: RE: close(2) not being audited?
>To: "Steve Grubb" <sgrubb@redhat.com>, <linux-audit@redhat.com>
>Cc: "Todd, Charles" <CTODD@ball.com>
>Message-ID:
>	<FC11D747323EB24493CDC753367EEB92019FA4D3@aplesnation.dom1.jhuapl.edu>
>Content-Type: text/plain;	charset="us-ascii"
>
>Actually, the exact wording says:
>
>"Successful and unsuccessful accesses to security-relevant objects and
>directories"
>
>It does not specify exactly how that should be collected,  but the
>NISPOM does request that the audit record  include who tried to access
>it, what they tried to access, the time and date of the access attempt,
>what command they were trying to run (rm, chmod, etc.),  and if they
>were successful or not.  What happens behind the scenes after the
>operating system takes over the request may not be of as much interest
>unless collecting that info helps to provide the above details to the
>audit record. 
>
>-Karen Wieprecht
>  
>
-- 
Randy Zagar                               Sr. Unix Systems Administrator
E-mail: zagar@arlut.utexas.edu            Applied Research Laboratories
Phone: 512 835-3131                       Univ. of Texas at Austin

          parent reply	other threads:[~2007-01-29 20:03 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <20070127170020.81DEA733B3@hormel.redhat.com>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45BE521F.9040806@arlut.utexas.edu \
    --to=zagar@arlut.utexas.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox