--- Amy Griffis <[EMAIL PROTECTED]> wrote:
> It would be nice if it were possible to further > filter the open calls, > by allowing the rule to specify certain flags like > O_CREAT, O_RDONLY, > O_WRONLY or O_RDWR. That could do quite a bit to > eliminate > unwanted log data. > > What do others think, should we consider adding > somthing like this? The LSPP project may need to pipe in at some point, depending on how they decide(d) to address tranquility, especially on devices that may be "allocated" by users. In the UNIX B1/LSPP evaluations we found it easier to provide the capability of auditing file descriptor operations (read, write, seek, fcheverything, ...) than to prove that they weren't necessary. It's easy to win the arguement that it's ok to write to a file with mode 0 if you opened it when it was 666. That arguement is much harder if the file was TopSecret and is now Unclassified. Casey Schaufler [EMAIL PROTECTED] -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
