auditing file based capabilities
Serge E. Hallyn
serue at us.ibm.com
Mon Oct 13 14:04:27 UTC 2008
Quoting Steve Grubb (sgrubb at redhat.com):
> Hi,
>
> With file based capabilities in recent kernels, I think we need to add those
> to the path records. An example PATH record:
That's a great idea (and would get me to use audit :).
> node=127.0.0.1 type=PATH msg=audit(1223893548.459:459): item=1
> name="/etc/resolv.conf" inode=20774937 dev=08:08 mode=0100644 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:net_conf_t:s0
>
> If executing the file leads to extra capabilities, I think we need to record
> that. If we add it, I'd like to see it recorded like render_cap_t does for
> the proc filesystem.
Agreed. Then userspace tools can print out full capability names.
> In order to conserve disk space, should we make the
> field optional so that it doesn't appear in the record unless there are file
> based capabilities?
Except I think setcap should also be audited, so that if a task receives
some inheritable capabilities, you can tell from the logs when that
happened and which executable did it.
Do you already have a patch for this?
-serge
More information about the Linux-audit
mailing list