NOBODY help me???<br><br>
<div><span class="gmail_quote">On 11/4/05, <b class="gmail_sendername">Yuan MailList</b> <<a href="mailto:yuan.maillist@gmail.com">yuan.maillist@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>Some puzzles following as:</div>
<div>---------------------------------------------------------------------</div>
<div> </div>
<div>1. What is invalid class in openbsm? Why audit pipe in src?</div>
<p>In BSM, no is the invalid class. Events mapped to this class are not audited. Events mapped solely to the no class are not audited, even if the all class is turned on. [refs to "SunSHIELD Basic Security Module Guide" ]
</p>
<p>And system call - pipe(2) - is just in this class [refers to the file contrib/bsm/etc/audit_event, 185:AUE_PIPE:pipe(2):no]</p>
<p>It means that pipe(2) should not be audited. But in the source codes of trusted_audit3, this syscall is audited. Should you remove it away and not audit this syscall? </p>
<p>2. Why not audit syscall write(2)/writev/dup2 in trusted_audit3? </p>
<div>I think these syscalls are important for system security and should be audited. For security, the events of write and modify to files are more important than those of read to files. Is it right? :-)</div>
<div> </div>
<div>3. In BSM, there is a news syscall auditsvc(). Will this syscall is added to trusted_audit3?</div>
<div> </div>
<div>4. In the src file sys/security/audit/kern_bsm_audit.c (lines 567):</div>
<div> </div>
<div> case AUE_CLOSE:<br> tok = au_to_arg32(2, "fd", ar->ar_arg_fd);</div>
<div> </div>
<div>I think it should be:</div>
<div>
<div> case AUE_CLOSE:<br> tok = au_to_arg32(1, "fd", ar->ar_arg_fd);</div>
<div> </div></div>
<div>----------------------------------------------------------------------------------------</div>
<div> </div>
<div>Could somebody give me answers for above questions?</div>
<div> </div>
<div> </div></blockquote></div><br>