Actually, the exact wording says: "Successful and unsuccessful accesses to security-relevant objects and directories"
It does not specify exactly how that should be collected, but the NISPOM does request that the audit record include who tried to access it, what they tried to access, the time and date of the access attempt, what command they were trying to run (rm, chmod, etc.), and if they were successful or not. What happens behind the scenes after the operating system takes over the request may not be of as much interest unless collecting that info helps to provide the above details to the audit record. -Karen Wieprecht -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Grubb Sent: Friday, January 26, 2007 12:38 PM To: [email protected] Cc: Todd, Charles Subject: Re: close(2) not being audited? On Thursday 28 December 2006 16:58, Todd, Charles wrote: > NISPOM 8-602 requires that CLOSE operations on security-relevant > objects be logged. Out of curiosity, what level of effort does the audit system need to go to? Would auditing the close syscall be sufficient? Does dups() need to be followed? What about descriptor inheritance? And passing descriptors between processes via af_unix? -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
