Quoting Steve Grubb ([EMAIL PROTECTED]): > Hi, > > With file based capabilities in recent kernels, I think we need to add those > to the path records. An example PATH record:
That's a great idea (and would get me to use audit :). > node=127.0.0.1 type=PATH msg=audit(1223893548.459:459): item=1 > name="/etc/resolv.conf" inode=20774937 dev=08:08 mode=0100644 ouid=0 ogid=0 > rdev=00:00 obj=system_u:object_r:net_conf_t:s0 > > If executing the file leads to extra capabilities, I think we need to record > that. If we add it, I'd like to see it recorded like render_cap_t does for > the proc filesystem. Agreed. Then userspace tools can print out full capability names. > In order to conserve disk space, should we make the > field optional so that it doesn't appear in the record unless there are file > based capabilities? Except I think setcap should also be audited, so that if a task receives some inheritable capabilities, you can tell from the logs when that happened and which executable did it. Do you already have a patch for this? -serge -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
