auditing file based capabilities
Serge E. Hallyn
serue at us.ibm.com
Mon Oct 13 15:42:31 UTC 2008
Quoting Steve Grubb (sgrubb at redhat.com):
> On Monday 13 October 2008 10:04:27 Serge E. Hallyn wrote:
> > Except I think setcap should also be audited, so that if a task receives
> > some inheritable capabilities, you can tell from the logs when that
> > happened and which executable did it.
> >
> > Do you already have a patch for this?
>
> Would an audit rule for setxattrs cover the setting?
Sorry, I meant capset :)
A task changing its capability sets. Particularly if it adds to pI (as
login/pam_cap will likely do).
-serge
More information about the Linux-audit
mailing list