[RFC] linux-2.6.10-auditfs-tc1.patch

Steve Grubb sgrubb at redhat.com
Mon Jan 24 15:43:57 UTC 2005


On Friday 21 January 2005 20:19, Casey Schaufler wrote:
> The Irix CAPP system (for example) uses
> capabilities and yes, they go in the audit trail
> along with an indication of which capabilities were
> required to perform the action, if any.

Which capabilities? The capabilities of the process or the capability required 
to successfully make the syscall? This would likely add a lot of text to the 
message the kernel sends. I would have to say we can't do this unless there 
is a certification requirement that we are trying to meet. Even then, maybe 
something that's a bitmap might be all we can do.

> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format? 

Yes. The audit program has a format_type configuration option so these can be 
written. Send the patch to me or this mail list against the latest audit 
daemon code.

-Steve Grubb




More information about the Linux-audit mailing list