What is invalid class in openbsm? And why not audit write/writev/dup2?
Ilmar S. Habibulin
ilmar at watson.org
Mon Nov 7 12:21:06 GMT 2005
On Fri, 4 Nov 2005, Yuan MailList wrote:
> 2. Why not audit syscall write(2)/writev/dup2 in trusted_audit3?
> I think these syscalls are important for system security and should be
> audited. For security, the events of write and modify to files are more
> important than those of read to files. Is it right? :-)
if you will simply audit write call, your trail will be trashed with such
entries. you need just open for writing audit entry, nothing more in
common situation. the only one reason to audit write calls is MAC, or even
MAC debugging. Because labes of subjects and objects may change between
two write calls to the same fd. So audit records wiil help to track down
the problem.
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-audit" in the body of the message
More information about the trustedbsd-audit
mailing list