Out of curiosity, what level of effort does the audit system need to
go to? Would auditing the close syscall be sufficient? Does dups()
need to be followed? What about descriptor inheritance? And passing
descriptors between processes via af_unix?
Keeping track of the life cycle of file descriptors, though dups,
forks, and close on execs, is what Polgen's tracker does. Well,
almost--it doesn't handle passing descriptors between processes via
af_unix, and it doesn't handle the System V IPC calls invoked through
ipc. In short, once the audit parsing library is available, I'll use
it to feed the results of an ausearch to the tracker. It's output may
be of use in analyzing logs, in addition to being an important
component in our policy generation tool.
John