Audit capabilities message
Steve Grubb
sgrubb at redhat.com
Fri Apr 29 13:58:00 UTC 2005
Hello,
What I'm thinking about is either to create a new capabilities message or
piggyback the info onto the get status message. What we need to know is what
configurable subsystem in included in the kernel. For example,
CONFIG_AUDITSYSCALL and CONFIG_AUDITFILESYSTEM should enable individual
messages. Any new auditing subsystem in the future would add a message so
that old tools can warn about a more capable kernel.
Also, when we start doing LSPP, we probably need to known whether or not the
kernel supports labled subjects & objects.
If we ever split netlink into control and data channels, this would be the
place to tell user space. The audit daemon could query capabilities, see the
kernel supports dual channel and open another netlink socket. Older kernels
won't have this so we stay on the same socket. (Not that this will ever
happen...but if it did, this would help tools adapt.)
-Steve
More information about the Linux-audit
mailing list