<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On 7 June 2013 10:21, Lennart Poettering <span dir="ltr"><<a href="mailto:mzerqung@0pointer.de" target="_blank">mzerqung@0pointer.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Fri, 07.06.13 12:09, Steve Grubb (<a href="mailto:sgrubb@redhat.com">sgrubb@redhat.com</a>) wrote:<br>
<br>
> > > > POSIX shared memory doesn't define any useful scheme for automatic<br>
> > > > removing of shared memory segments from /dev/shm after use. Hence, in<br>
> > > > order to make sure that left-over segments don't fill up /dev/shm<br>
> > > > forever PA will try to GC dead segments from /dev/shm on each<br>
> > > > start-up. For that it iterates through /dev/shm/pulse-shm*, tries to<br>
> > > > read the PID that is stored in there.<br>
> > ><br>
> > > Maybe the uid can be encoded in the name so that wrong uid's are<br>
> > > skipped?<br>
> ><br>
> > But why?<br>
><br>
> So that you are not filling up the audit logs. There are people that have to<br>
> use these audit rules and we need a normally operating system to produce as<br>
> few false positives as possible.<br>
<br>
</div>Maybe the audit system should be fixed to not trip up by this?<br>
<div class="im"><br></div></blockquote><div><br></div><div style>The audit system is doing what it is supposed to do. Report that a file is being tried to be opened with no permissions to do so. That is pretty much the business rule required to be audited. Exceptions to that rule go up a long chain of command and usually take various signoffs to make sure that you aren't trying to get around the system somewhere. This kind of thing affects everyone who has to deal with auditing in one form or another (PCI, various .gov, various health agencies etc). They get a rule which is written as simple as possible and then the audit system is to find all attempts against that simple rule. And then someone or some group at the site has to go through each attempt and figure out if the problem is a legitimate one, a hacker, etc. When they find out it is a legitimate one, the process is the following:</div>
<div style><br></div><div style>1) Open a ticket with the vendor that they have a problem.</div><div style>2) Open a ticket up the chain of command to have an exception allowed.</div><div style>[Ticket 1 usually takes months to years but is usually faster than ticket 2.]</div>
<div style><br></div><div style>Then most large sites go through their chain of command tickets and find out which ones cost the most and then put those vendors on notice that their products are not meeting expectations and that they want either a larger discount to cover the hidden costs or they will be finding another vendor. </div>
<div><br></div><div><br></div></div><br clear="all"><div><br></div>-- <br><div dir="ltr">Stephen J Smoogen.<br><br></div>
</div></div>