Bad file access on the rise
mjg59 at srcf.ucam.org
Sun Jun 9 04:56:42 UTC 2013
On Sat, Jun 08, 2013 at 08:28:48PM -0400, Doug Ledford wrote:
> On 06/08/2013 02:35 PM, Adam Williamson wrote:
> > Well, you're defining something as 'bad behaviour' fairly arbitrarily -
> > or at least controversially: not everyone agrees with your definition.
> Speaking as a former sysadmin responsible for intrusion detection, this
> is not a controversial definition at all (namely that anything that
> creates audit events without a reasonably just cause is 'bad behavior').
> It is the only sane definition of 'bad behavior'. Anything that makes
> an admin go chasing ghosts for no good reason is most definitely 'bad
> behavior', and every single audit event on a system must be identifiable
> by the admins before you know your system is secure.
I don't think anyone wants these accesses to generate audit records. The
question is whether the right way to fix that is to avoid those accesses
in the first place or to provide a mechanism so that legitimate accesses
don't generate audit records.
Matthew Garrett | mjg59 at srcf.ucam.org
More information about the devel