On Tuesday 03 July 2007 10:38:05 am Stephen Smalley wrote: > One caveat though - auditing of write() won't catch all possible ways of > modifying the file data, e.g. one could mmap() the file with MAP_SHARED > and then write to the memory, followed by msync or munmap.
Agreed. And another gotcha is programs that could pass a descriptor across af_unix sockets where it is then mmap'ed. There is also sendfile which could send the file away to be viewed by other people and there is splice() & tee(2). Don't forget the *at() syscalls, too. IOW, I think the problem is trickier than it might initially appear. Based on your requirements, you might want to consider putting in place some SE Linux policy to control the different ways that a file can be accessed to keep apps honest. Then you don't need to worry about all the sneak paths that could subvert the audit system. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
