Quoting Steve Grubb ([EMAIL PROTECTED]): > On Monday 13 October 2008 10:04:27 Serge E. Hallyn wrote: > > Except I think setcap should also be audited, so that if a task receives > > some inheritable capabilities, you can tell from the logs when that > > happened and which executable did it. > > > > Do you already have a patch for this? > > Would an audit rule for setxattrs cover the setting?
Sorry, I meant capset :) A task changing its capability sets. Particularly if it adds to pI (as login/pam_cap will likely do). -serge -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
