On Fri, 26 Jan 2007 17:19:33 -0500 Alexander Viro <[EMAIL PROTECTED]> wrote:
> On Fri, Jan 26, 2007 at 03:14:10PM -0500, Wieprecht, Karen M. wrote: > > Actually, the exact wording says: > > > > "Successful and unsuccessful accesses to security-relevant objects and > > directories" > > > > It does not specify exactly how that should be collected, but the > > NISPOM does request that the audit record include who tried to access > > it, what they tried to access, the time and date of the access attempt, > > what command they were trying to run (rm, chmod, etc.), and if they > > were successful or not. What happens behind the scenes after the > > operating system takes over the request may not be of as much interest > > unless collecting that info helps to provide the above details to the > > audit record. > > Please, define "access". Consider the following sequence: > on April 1st: > fd = open(foo, O_RDWR); > p = mmap(..., fd, ...); > close(fd); > two days later: modify area pointed to by p > a month later: munmap(p, ...); > > What do you want in the log? More specifically, _when_ do you want it? Write out a log when the last reference to the fd is put back... whether that's from a close or an munmap. -tim -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
