Bad file access on the rise
Steve Grubb
sgrubb at redhat.com
Fri Jun 7 19:35:28 UTC 2013
On Friday, June 07, 2013 07:29:56 PM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:
> > The point is that we are simply throwing ideas off the wall as an aid in
> > finding a way to solve the issue for all.
>
> So why not add a mechanism to permit applications to indicate that
> certain accesses they make should be ignored by audit?
We've never needed an exception in the past. What I'm reporting is there is
now a trend on the rise where apps are trying to open files that do not belong
to them or open them not wanting the access time updated which attempts to
bypass forensic time stamps.
So far, the discussion has focused on pulseaudio. But what about the O_NOATIME
issue? I wrote an article [1] for the hack in the box magazine a while back
about using the audit system to look for application problems across the whole
distribution at once. Its good at doing that. And like SE Linux, sometimes the
fix is not to avoid auditing bad behaving apps, but to fix them.
As for the O_NOATIME...cinnamon is the prime offender and neither it nor muffin
have O_NOATIME anywhere in the code. So, its coming from a library. Anyone
have any ideas? If we can fix that one at least we can make some progress.
Thanks,
-Steve
[1] - http://magazine.hitb.org/issues/HITB-Ezine-Issue-005.pdf
More information about the devel
mailing list