Bad file access on the rise
Steve Grubb
sgrubb at redhat.com
Sat Jun 8 13:25:21 UTC 2013
On Saturday, June 08, 2013 06:33:11 AM Matthew Garrett wrote:
> On Fri, Jun 07, 2013 at 07:03:24PM -0600, Stephen John Smoogen wrote:
> > On 7 June 2013 12:29, Matthew Garrett <mjg59 at srcf.ucam.org> wrote:
> > > So why not add a mechanism to permit applications to indicate that
> > > certain accesses they make should be ignored by audit?
> >
> > Just so people know, this is like one of the the oldest auditing argument
> > in the world. I have had programmers say that since the 1990's. [The
> > standard counter story is that user program X says "don't audit anything I
> > do in /etc." The programmer counters with adding in a black list of
> > directories that can't be audited, this gets countered by something else
> > and eventually you have a process where programs that have a GPG signature
> > that has been accepted as valid by the audit program can say which of the
> > white listed files it wants opened without audit are dealt with... and
> > then
> > some other programmer comes in and shows the 20,000 lines of need to be
> > audited code replaces 40 lines of C code in the programs that were causing
> > the problem.]
>
> Well, http://www.stigviewer.com/check/V-29067 implies that filtering of
> audit records is a reasonable thing to do.
What this requirement is talking about is that we must provide something like
ausearch. OK, we do that. What I am telling you is that the OS has changed in
a bad way in the last year or two. It has _never_ been this noisy for
auditing. Look at this:
# aureport --start this-week --key --summary
Key Summary Report
===========================
total key
===========================
73520 access
562 module-load
149 module-unload
135 bypass
132 system-locale
132 container-config
113 time-change
110 identity
100 data-injection
88 container-create
88 export
58 register-injection
44 code-injection
29 power-abuse
22 modules-del
22 modules-add
22 MAC-policy
The bad access events dominate the event log.
> I have no expectation that arbitrary user applications should be able to do
> whatever they want without leaving an audit trail, but I don't see what that
> has to do with system applications. Root has the ability to modify the
> selinux policy, so root (and packages installed by root) should have the
> ability to modify the set of behaviours that trigger audit records.
Its not quite like this. What I need is the OS to be well behaved under normal
conditions so that when problems come along they are easily spotted. Fedora
has been a fairly well behaved OS over the years. I have had to get a few apps
fixed in the past and the maintainers have always been accommodating. But this
time I am finding we have a serious problem worse than in the past.
Thanks,
-Steve
More information about the devel
mailing list