[RFC] linux-2.6.10-auditfs-tc1.patch
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 24 16:29:00 UTC 2005
--- Steve Grubb <sgrubb at redhat.com> wrote:
> On Friday 21 January 2005 20:19, Casey Schaufler
> wrote:
> > The Irix CAPP system (for example) uses
> > capabilities and yes, they go in the audit trail
> > along with an indication of which capabilities
> were
> > required to perform the action, if any.
>
> Which capabilities?
- The process capability set
- The set of capabilties that were
actually required
- In Irix you can get privilege by
either having the capabilty or by
being root. If you got privilege
not because you have the capability
but because you're root that is
indicated as well.
- If you don't get access the capabilty
that was checked that failed is noted.
> The capabilities of the process
> or the capability required
> to successfully make the syscall? This would likely
> add a lot of text to the
> message the kernel sends.
Yes, it does. On the other hand, it allows you
to identify and filter based on the capability
involved. This is very important in an LSPP
system, where it is very important to keep an
eye on MAC violations.
> I would have to say we
> can't do this unless there
> is a certification requirement that we are trying to
> meet. Even then, maybe
> something that's a bitmap might be all we can do.
A bitmap would suffice, although it might not be
very convinient.
> > This is probably a bit late in the discussion,
> > but have y'all considered using a tokenized audit
> > record format?
>
> Yes. The audit program has a format_type
> configuration option so these can be
> written. Send the patch to me or this mail list
> against the latest audit
> daemon code.
Hum. I'll have to see what I can do.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250
More information about the Linux-audit
mailing list