RE: close(2) not being audited? (Wieprecht, Karen M.)

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

* RE: close(2) not being audited? (Wieprecht, Karen M.)
       [not found] <20070127170020.81DEA733B3@hormel.redhat.com>
@ 2007-01-29 19:59 ` Randy Zagar
  0 siblings, 0 replies; only message in thread
From: Randy Zagar @ 2007-01-29 19:59 UTC (permalink / raw)
  To: linux-audit

Actually, this statement was amended in a later Industrial Security 
Letter...

The comments from the ISL have been incorporated into our NISPOM docs 
and include the following:

    8.602. Audit Capability

    (c) Successful and unsuccessful accesses to security-relevant
    objects and directories, including creation, open, close,
    modification, and deletion.

    55. Question: Paragraph 8-602a(1)(c) can generate upwards to 100
    audit entries for each successful access to security-relevant
    objects and/or directories.  From a security standpoint, is this
    information of enough importance to generate voluminous amounts of
    auditing data?

    Answer: No.  Only unsuccessful accesses need to be audited.

Now I can easily imagine that Sarbanes-Oxley or HIPPA may require 
auditing successful accesses to SROs, but the NISPOM no longer requires 
it...

-Randy Zagar

linux-audit-request@redhat.com wrote:

> Date: Fri, 26 Jan 2007 15:14:10 -0500
>
>From: "Wieprecht, Karen M." <Karen.Wieprecht@jhuapl.edu>
>Subject: RE: close(2) not being audited?
>To: "Steve Grubb" <sgrubb@redhat.com>, <linux-audit@redhat.com>
>Cc: "Todd, Charles" <CTODD@ball.com>
>Message-ID:
>	<FC11D747323EB24493CDC753367EEB92019FA4D3@aplesnation.dom1.jhuapl.edu>
>Content-Type: text/plain;	charset="us-ascii"
>
>Actually, the exact wording says:
>
>"Successful and unsuccessful accesses to security-relevant objects and
>directories"
>
>It does not specify exactly how that should be collected,  but the
>NISPOM does request that the audit record  include who tried to access
>it, what they tried to access, the time and date of the access attempt,
>what command they were trying to run (rm, chmod, etc.),  and if they
>were successful or not.  What happens behind the scenes after the
>operating system takes over the request may not be of as much interest
>unless collecting that info helps to provide the above details to the
>audit record. 
>
>-Karen Wieprecht
>  
>
-- 
Randy Zagar                               Sr. Unix Systems Administrator
E-mail: zagar@arlut.utexas.edu            Applied Research Laboratories
Phone: 512 835-3131                       Univ. of Texas at Austin

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2007-01-29 20:03 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20070127170020.81DEA733B3@hormel.redhat.com>
2007-01-29 19:59 ` close(2) not being audited? (Wieprecht, Karen M.) Randy Zagar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox