What is invalid class in openbsm? And why not audit write/writev/dup2?
Yuan MailList
yuan.maillist at gmail.com
Mon Nov 7 00:58:06 GMT 2005
NOBODY help me???
On 11/4/05, Yuan MailList <yuan.maillist at gmail.com> wrote:
>
> Some puzzles following as:
> ---------------------------------------------------------------------
> 1. What is invalid class in openbsm? Why audit pipe in src?
>
> In BSM, no is the invalid class. Events mapped to this class are not
> audited. Events mapped solely to the no class are not audited, even if the
> all class is turned on. [refs to "SunSHIELD Basic Security Module Guide" ]
>
> And system call - pipe(2) - is just in this class [refers to the file
> contrib/bsm/etc/audit_event, 185:AUE_PIPE:pipe(2):no]
>
> It means that pipe(2) should not be audited. But in the source codes of
> trusted_audit3, this syscall is audited. Should you remove it away and not
> audit this syscall?
>
> 2. Why not audit syscall write(2)/writev/dup2 in trusted_audit3?
> I think these syscalls are important for system security and should be
> audited. For security, the events of write and modify to files are more
> important than those of read to files. Is it right? :-)
> 3. In BSM, there is a news syscall auditsvc(). Will this syscall is added
> to trusted_audit3?
> 4. In the src file sys/security/audit/kern_bsm_audit.c (lines 567):
> case AUE_CLOSE:
> tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
> I think it should be:
> case AUE_CLOSE:
> tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
>
> ----------------------------------------------------------------------------------------
> Could somebody give me answers for above questions?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebsd.org/pipermail/trustedbsd-audit/attachments/20051107/8e55106b/attachment.html
More information about the trustedbsd-audit
mailing list