Actually, the exact wording says:
"Successful and unsuccessful accesses to security-relevant objects and
directories"
It does not specify exactly how that should be collected, but the
NISPOM does request that the audit record include who tried to access
it, what they tried to access, the time and date of the access attempt,
what command they were trying to run (rm, chmod, etc.), and if they
were successful or not. What happens behind the scenes after the
operating system takes over the request may not be of as much interest
unless collecting that info helps to provide the above details to the
audit record.
-Karen Wieprecht
-----Original Message-----
From: linux-audit-bounces(a)redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Steve Grubb
Sent: Friday, January 26, 2007 12:38 PM
To: linux-audit(a)redhat.com
Cc: Todd, Charles
Subject: Re: close(2) not being audited?
On Thursday 28 December 2006 16:58, Todd, Charles wrote:
NISPOM 8-602 requires that CLOSE operations on security-relevant
objects be logged.
Out of curiosity, what level of effort does the audit system need to go
to?
Would auditing the close syscall be sufficient? Does dups() need to be
followed? What about descriptor inheritance? And passing descriptors
between processes via af_unix?
-Steve
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit