Bad file access on the rise
mjg59 at srcf.ucam.org
Fri Jun 7 18:52:35 UTC 2013
On Fri, Jun 07, 2013 at 08:38:56PM +0200, Miloslav Trmač wrote:
> On Fri, Jun 7, 2013 at 8:29 PM, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> > So why not add a mechanism to permit applications to indicate that
> > certain accesses they make should be ignored by audit?
> Because it would be primarily useful to the attackers' applications.
> Or am I missing something? (BTW, audit already has something like
> "dontaudit" rules. But it has limited information to work with.)
If the attacker has root then the attacker can just change the file
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel