On Thursday 28 December 2006 16:58, Todd, Charles wrote: > NISPOM 8-602 requires that CLOSE operations on security-relevant objects be > logged.
Out of curiosity, what level of effort does the audit system need to go to? Would auditing the close syscall be sufficient? Does dups() need to be followed? What about descriptor inheritance? And passing descriptors between processes via af_unix? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
