Re: How to audit socket close system call?
On 01/08/2015 04:55 PM, Alexander Viro wrote:
Incidentally, that's a fine example of the reasons why syscall
audit is useless
for almost anything other than CYA. It's not that syscall tracing is useless -
strace can be quite useful, actually. It's the bogus impression of coverage
in case of watching what live system does - a whole lot of events simply do
not map on "somebody had done a syscall with such and such arguments".
All true & well put; thank you.
The CYA factor IS important. But the translation magic from user actions
to syscalls (and back - from intent to result) is where it gets interesting.
The forensics challenge with the data we have is what some of us are
grappling with now (forever).
LCB
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com
Attachments:
- smime.p7s (application/pkcs7-signature — 2.1 KB)