On Fri, 07.06.13 15:35, Steve Grubb (sgrubb(a)redhat.com) wrote:
On Friday, June 07, 2013 07:29:56 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> > The point is that we are simply throwing ideas off the wall as an aid in
> > finding a way to solve the issue for all.
>
> So why not add a mechanism to permit applications to indicate that
> certain accesses they make should be ignored by audit?
We've never needed an exception in the past. What I'm reporting is there is
now a trend on the rise where apps are trying to open files that do not belong
to them or open them not wanting the access time updated which attempts to
bypass forensic time stamps.
This is hardly a "new trend" btw. PA has been doing this since about
forever and has been default since Fedora 8. Which is more than 5 years
ago.
Lennart
--
Lennart Poettering - Red Hat, Inc.