On Sat, Jun 08, 2013 at 08:28:48PM -0400, Doug Ledford wrote: > On 06/08/2013 02:35 PM, Adam Williamson wrote: > > Well, you're defining something as 'bad behaviour' fairly arbitrarily - > > or at least controversially: not everyone agrees with your definition. > > Speaking as a former sysadmin responsible for intrusion detection, this > is not a controversial definition at all (namely that anything that > creates audit events without a reasonably just cause is 'bad behavior'). > It is the only sane definition of 'bad behavior'. Anything that makes > an admin go chasing ghosts for no good reason is most definitely 'bad > behavior', and every single audit event on a system must be identifiable > by the admins before you know your system is secure. I don't think anyone wants these accesses to generate audit records. The question is whether the right way to fix that is to avoid those accesses in the first place or to provide a mechanism so that legitimate accesses don't generate audit records. -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
