[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] linux-2.6.10-auditfs-tc1.patch

--- Steve Grubb <sgrubb redhat com> wrote:

> On Friday 21 January 2005 20:19, Casey Schaufler
> wrote:
> > The Irix CAPP system (for example) uses
> > capabilities and yes, they go in the audit trail
> > along with an indication of which capabilities
> were
> > required to perform the action, if any.
> Which capabilities?

    - The process capability set
    - The set of capabilties that were
      actually required
    - In Irix you can get privilege by
      either having the capabilty or by
      being root. If you got privilege
      not because you have the capability
      but because you're root that is
      indicated as well.
    - If you don't get access the capabilty
      that was checked that failed is noted.
> The capabilities of the process
> or the capability required 
> to successfully make the syscall? This would likely
> add a lot of text to the 
> message the kernel sends.

Yes, it does. On the other hand, it allows you
to identify and filter based on the capability
involved. This is very important in an LSPP
system, where it is very important to keep an
eye on MAC violations.

> I would have to say we
> can't do this unless there 
> is a certification requirement that we are trying to
> meet. Even then, maybe 
> something that's a bitmap might be all we can do.

A bitmap would suffice, although it might not be
very convinient.

> > This is probably a bit late in the discussion,
> > but have y'all considered using a tokenized audit
> > record format? 
> Yes. The audit program has a format_type
> configuration option so these can be 
> written. Send the patch to me or this mail list
> against the latest audit 
> daemon code.

Hum. I'll have to see what I can do.

Casey Schaufler
casey schaufler-ca com

Do you Yahoo!? 
Yahoo! Mail - Easier than ever with enhanced search. Learn more.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]