Bad file access on the rise

Matthew Garrett mjg59 at
Sun Jun 9 04:56:42 UTC 2013

On Sat, Jun 08, 2013 at 08:28:48PM -0400, Doug Ledford wrote:
> On 06/08/2013 02:35 PM, Adam Williamson wrote:
> > Well, you're defining something as 'bad behaviour' fairly arbitrarily -
> > or at least controversially: not everyone agrees with your definition.
> Speaking as a former sysadmin responsible for intrusion detection, this
> is not a controversial definition at all (namely that anything that
> creates audit events without a reasonably just cause is 'bad behavior').
>  It is the only sane definition of 'bad behavior'.  Anything that makes
> an admin go chasing ghosts for no good reason is most definitely 'bad
> behavior', and every single audit event on a system must be identifiable
> by the admins before you know your system is secure.

I don't think anyone wants these accesses to generate audit records. The 
question is whether the right way to fix that is to avoid those accesses 
in the first place or to provide a mechanism so that legitimate accesses 
don't generate audit records.

Matthew Garrett | mjg59 at

More information about the devel mailing list