From mboxrd@z Thu Jan 1 00:00:00 1970 From: Randy Zagar Subject: RE: close(2) not being audited? (Wieprecht, Karen M.) Date: Mon, 29 Jan 2007 13:59:27 -0600 Message-ID: <45BE521F.9040806@arlut.utexas.edu> References: <20070127170020.81DEA733B3@hormel.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l0TK39Mh012455 for ; Mon, 29 Jan 2007 15:03:15 -0500 Received: from ns2.arlut.utexas.edu (ns2.arlut.utexas.edu [146.6.211.1]) by mx2.redhat.com (8.12.11.20060308/8.12.11) with ESMTP id l0TK38Wa001010 for ; Mon, 29 Jan 2007 15:03:08 -0500 Received: from ns5.arlut.utexas.edu (ns5.arlut.utexas.edu [10.4.1.6]) by ns2.arlut.utexas.edu (8.13.7/8.13.7) with ESMTP id l0TJxSvi076984 for ; Mon, 29 Jan 2007 14:03:07 -0600 (CST) Received: from [10.8.17.234] (bofh.arlut.utexas.edu [10.8.17.234]) by ns5.arlut.utexas.edu (8.13.7/8.13.7) with ESMTP id l0TJxRke062161 for ; Mon, 29 Jan 2007 13:59:28 -0600 (CST) In-Reply-To: <20070127170020.81DEA733B3@hormel.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Actually, this statement was amended in a later Industrial Security Letter... The comments from the ISL have been incorporated into our NISPOM docs and include the following: 8.602. Audit Capability (c) Successful and unsuccessful accesses to security-relevant objects and directories, including creation, open, close, modification, and deletion. 55. Question: Paragraph 8-602a(1)(c) can generate upwards to 100 audit entries for each successful access to security-relevant objects and/or directories. From a security standpoint, is this information of enough importance to generate voluminous amounts of auditing data? Answer: No. Only unsuccessful accesses need to be audited. Now I can easily imagine that Sarbanes-Oxley or HIPPA may require auditing successful accesses to SROs, but the NISPOM no longer requires it... -Randy Zagar linux-audit-request@redhat.com wrote: > Date: Fri, 26 Jan 2007 15:14:10 -0500 > >From: "Wieprecht, Karen M." >Subject: RE: close(2) not being audited? >To: "Steve Grubb" , >Cc: "Todd, Charles" >Message-ID: > >Content-Type: text/plain; charset="us-ascii" > >Actually, the exact wording says: > >"Successful and unsuccessful accesses to security-relevant objects and >directories" > >It does not specify exactly how that should be collected, but the >NISPOM does request that the audit record include who tried to access >it, what they tried to access, the time and date of the access attempt, >what command they were trying to run (rm, chmod, etc.), and if they >were successful or not. What happens behind the scenes after the >operating system takes over the request may not be of as much interest >unless collecting that info helps to provide the above details to the >audit record. > >-Karen Wieprecht > > -- Randy Zagar Sr. Unix Systems Administrator E-mail: zagar@arlut.utexas.edu Applied Research Laboratories Phone: 512 835-3131 Univ. of Texas at Austin