On Wed, 2005-02-23 at 13:58 -0600, Klaus Weidner wrote:
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
In most real-world scenarios you probably won't want to be auditing read
and write operations individually anyway.
Agree with Klaus here. Although there are conceptually a few areas where
read & write auditing could be useful, practically, you're swamped with
so much useless data, that finding the useful information in amongst all
the other stuff is so much of a challenge that it's not worth turning
on.
Examples of possible positives:
* User accessed /etc/passwd in write mode... but did they actually
CHANGE it?
* Bandwidth hog needs to be identified, so look for bulk reads and
writes on network sockets.
.. but there are other ways of effectively getting the same information,
with much less system and administrator overhead (eg: tripwire, tcpdump)
- so I wouldn't recommend adding this in.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/