On 7 June 2013 12:29, Matthew Garrett <mjg59(a)srcf.ucam.org> wrote:
On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> The point is that we are simply throwing ideas off the wall as an aid in
> finding a way to solve the issue for all.
So why not add a mechanism to permit applications to indicate that
certain accesses they make should be ignored by audit?
Just so people know, this is like one of the the oldest auditing argument
in the world. I have had programmers say that since the 1990's. [The
standard counter story is that user program X says "don't audit anything I
do in /etc." The programmer counters with adding in a black list of
directories that can't be audited, this gets countered by something else
and eventually you have a process where programs that have a GPG signature
that has been accepted as valid by the audit program can say which of the
white listed files it wants opened without audit are dealt with... and then
some other programmer comes in and shows the 20,000 lines of need to be
audited code replaces 40 lines of C code in the programs that were causing
the problem.]
The problem is that the issue is a social one and not a technical one which
is why i think there is so much hostility towards auditing. You can't fix
it with a technical fix, you have to fix it via social methods and a lot of
time. In this case, the general rule is "Audit all failed accesses."
Programs and methods which allow for automatic getting around that get
rejected by higher ups ( I have seen several teams fight that mountain over
the years).
Instead what the higher ups want is that the site knows what is causing
problems, why it is causing problems and only then and it has been proven
by code audit that it can't get around it can you add a line in an
/etc/audit that accesses to this directory are not to be audited. If you
are lucky and working in a .gov/.mil setting that might take 6 months. If
you are unlucky and working at a doctor's office (HIPPAA) or a store with
credit cards (PCI) it can take a lot of extra money or time to get around
this.
The worst audit I dealt with was with a hospitals cafeteria which had to be
closed for one day and go cash-only for a couple other until the audit
rules were in place that met the audit teams specifications. The next year
another audit team required other changes and a removal of various items of
the first. All of it social items that the sys admins and coders involved
had no technical fix for.
--
Matthew Garrett | mjg59(a)srcf.ucam.org
--
devel mailing list
devel(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
--
Stephen J Smoogen.