On Monday 13 October 2008 10:04:27 Serge E. Hallyn wrote: > Except I think setcap should also be audited, so that if a task receives > some inheritable capabilities, you can tell from the logs when that > happened and which executable did it. > > Do you already have a patch for this? Would an audit rule for setxattrs cover the setting? -Steve