Re: close(2) not being audited?

On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote: > Actually, the exact wording says: > > "Successful and unsuccessful accesses to security-relevant objects and > directories" > > It does not specify exactly how that should be collected, but the > NISPOM does request that the audit record include who tried to access > it, what they tried to access, the time and date of the access attempt, > what command they were trying to run (rm, chmod, etc.), and if they > were successful or not. What happens behind the scenes after the > operating system takes over the request may not be of as much interest > unless collecting that info helps to provide the above details to the > audit record. Please, define "access". Consider the following sequence: on April 1st: fd = open(foo, O_RDWR); p = mmap(..., fd, ...); close(fd); two days later: modify area pointed to by p a month later: munmap(p, ...); What do you want in the log? More specifically, _when_ do you want it?