Re: Bad file access on the rise

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 






On 7 June 2013 12:29, Matthew Garrett <mjg59@xxxxxxxxxxxxx> wrote:
On Fri, Jun 07, 2013 at 02:02:14PM -0400, Simo Sorce wrote:

> The point is that we are simply throwing ideas off the wall as an aid in
> finding a way to solve the issue for all.

So why not add a mechanism to permit applications to indicate that
certain accesses they make should be ignored by audit?


Just so people know, this is like one of the the oldest auditing argument in the world. I have had programmers say that since the 1990's. [The standard counter story is that user program X says "don't audit anything I do in /etc." The programmer counters with adding in a black list of directories that can't be audited, this gets countered by something else and eventually you have a process where programs that have a GPG signature that has been accepted as valid by the audit program can say which of the white listed files it wants opened without audit are dealt with... and then some other programmer comes in and shows the 20,000 lines of need to be audited code replaces 40 lines of C code in the programs that were causing the problem.]

The problem is that the issue is a social one and not a technical one which is why i think there is so much hostility towards auditing. You can't fix it with a technical fix, you have to fix it via social methods and a lot of time. In this case, the general rule is "Audit all failed accesses." Programs and methods which allow for automatic getting around that get rejected by higher ups ( I have seen several teams fight that mountain over the years).

Instead what the higher ups want is that the site knows what is causing problems, why it is causing problems and only then and it has been proven by code audit that it can't get around it can you add a line in an /etc/audit that accesses to this directory are not to be audited. If you are lucky and working in a .gov/.mil setting that might take 6 months. If you are unlucky and working at a doctor's office (HIPPAA) or a store with credit cards (PCI) it can take a lot of extra money or time to get around this. 

The worst audit I dealt with was with a hospitals cafeteria which had to be closed for one day and go cash-only for a couple other until the audit rules were in place that met the audit teams specifications. The next year another audit team required other changes and a removal of various items of the first. All of it social items that the sys admins and coders involved had no technical fix for. 


 
--
Matthew Garrett | mjg59@xxxxxxxxxxxxx



--
Stephen J Smoogen.

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux