Re: close(2) not being audited?
On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote:
Actually, the exact wording says:
"Successful and unsuccessful accesses to security-relevant objects and
directories"
It does not specify exactly how that should be collected, but the
NISPOM does request that the audit record include who tried to access
it, what they tried to access, the time and date of the access attempt,
what command they were trying to run (rm, chmod, etc.), and if they
were successful or not. What happens behind the scenes after the
operating system takes over the request may not be of as much interest
unless collecting that info helps to provide the above details to the
audit record.
Please, define "access". Consider the following sequence:
on April 1st:
fd = open(foo, O_RDWR);
p = mmap(..., fd, ...);
close(fd);
two days later: modify area pointed to by p
a month later: munmap(p, ...);
What do you want in the log? More specifically, _when_ do you want it?
Is that close() worth more than munmap()? All file access will be done
at least a couple of days after it and file will remain open for more than
a month, despite successful call of close(2).
The main question here is what are those logs supposed to be useful for,
beside the CYA exercises.