[RFC] linux-2.6.10-auditfs-tc1.patch
Steve Grubb
sgrubb at redhat.com
Mon Jan 24 15:43:57 UTC 2005
On Friday 21 January 2005 20:19, Casey Schaufler wrote:
> The Irix CAPP system (for example) uses
> capabilities and yes, they go in the audit trail
> along with an indication of which capabilities were
> required to perform the action, if any.
Which capabilities? The capabilities of the process or the capability required
to successfully make the syscall? This would likely add a lot of text to the
message the kernel sends. I would have to say we can't do this unless there
is a certification requirement that we are trying to meet. Even then, maybe
something that's a bitmap might be all we can do.
> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format?
Yes. The audit program has a format_type configuration option so these can be
written. Send the patch to me or this mail list against the latest audit
daemon code.
-Steve Grubb
More information about the Linux-audit
mailing list