Re: close(2) not being audited?
On Thursday 28 December 2006 16:58, Todd, Charles wrote:
NISPOM 8-602 requires that CLOSE operations on security-relevant
objects be
logged.
Out of curiosity, what level of effort does the audit system need to go to?
Would auditing the close syscall be sufficient? Does dups() need to be
followed? What about descriptor inheritance? And passing descriptors between
processes via af_unix?
-Steve