> Out of curiosity, what level of effort does the audit system need to > go to? Would auditing the close syscall be sufficient? Does dups() > need to be followed? What about descriptor inheritance? And passing > descriptors between processes via af_unix?
Keeping track of the life cycle of file descriptors, though dups, forks, and close on execs, is what Polgen's tracker does. Well, almost--it doesn't handle passing descriptors between processes via af_unix, and it doesn't handle the System V IPC calls invoked through ipc. In short, once the audit parsing library is available, I'll use it to feed the results of an ausearch to the tracker. It's output may be of use in analyzing logs, in addition to being an important component in our policy generation tool. John -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
