What is invalid class in openbsm? And why not audit write/writev/dup2?
Yuan MailList
yuan.maillist at gmail.com
Mon Nov 7 14:44:04 GMT 2005
Thanks for your answer.
When selecting the audit syscall, are there some criterias?
It means that why some syscalls are audited but others are not audited.
On 11/7/05, Ilmar S. Habibulin <ilmar at watson.org> wrote:
>
>
>
> On Fri, 4 Nov 2005, Yuan MailList wrote:
>
> > 2. Why not audit syscall write(2)/writev/dup2 in trusted_audit3?
> > I think these syscalls are important for system security and should be
> > audited. For security, the events of write and modify to files are more
> > important than those of read to files. Is it right? :-)
>
> if you will simply audit write call, your trail will be trashed with such
> entries. you need just open for writing audit entry, nothing more in
> common situation. the only one reason to audit write calls is MAC, or even
> MAC debugging. Because labes of subjects and objects may change between
> two write calls to the same fd. So audit records wiil help to track down
> the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebsd.org/pipermail/trustedbsd-audit/attachments/20051107/4757f05c/attachment.html
More information about the trustedbsd-audit
mailing list