What is invalid class in openbsm? And why not audit write/writev/dup2?
Yuan MailList
yuan.maillist at gmail.com
Fri Nov 4 02:51:53 GMT 2005
Some puzzles following as:
---------------------------------------------------------------------
1. What is invalid class in openbsm? Why audit pipe in src?
In BSM, no is the invalid class. Events mapped to this class are not
audited. Events mapped solely to the no class are not audited, even if the
all class is turned on. [refs to "SunSHIELD Basic Security Module Guide" ]
And system call - pipe(2) - is just in this class [refers to the file
contrib/bsm/etc/audit_event, 185:AUE_PIPE:pipe(2):no]
It means that pipe(2) should not be audited. But in the source codes of
trusted_audit3, this syscall is audited. Should you remove it away and not
audit this syscall?
2. Why not audit syscall write(2)/writev/dup2 in trusted_audit3?
I think these syscalls are important for system security and should be
audited. For security, the events of write and modify to files are more
important than those of read to files. Is it right? :-)
3. In BSM, there is a news syscall auditsvc(). Will this syscall is added
to trusted_audit3?
4. In the src file sys/security/audit/kern_bsm_audit.c (lines 567):
case AUE_CLOSE:
tok = au_to_arg32(2, "fd", ar->ar_arg_fd);
I think it should be:
case AUE_CLOSE:
tok = au_to_arg32(1, "fd", ar->ar_arg_fd);
----------------------------------------------------------------------------------------
Could somebody give me answers for above questions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freebsd.org/pipermail/trustedbsd-audit/attachments/20051104/779b7051/attachment.html
More information about the trustedbsd-audit
mailing list