[RFC] linux-2.6.10-auditfs-tc1.patch

Steve Grubb sgrubb at redhat.com
Mon Jan 24 16:48:30 UTC 2005


On Monday 24 January 2005 11:29, Casey Schaufler wrote:
> > Which capabilities?
>
>     - The process capability set
>     - The set of capabilties that were
>       actually required

Both? The capabilities required should be cast in concrete and not 
configurable. Not sure what value this adds other than a convenience.

>     - In Irix you can get privilege by
>       either having the capabilty or by
>       being root. If you got privilege
>       not because you have the capability
>       but because you're root that is
>       indicated as well.

In linux you can be root and not able to add capabilities or lose capabilities 
since you gave up that capability. So, I'm not sure if this is useful in this 
situation.

> > Yes. The audit program has a format_type
> > configuration option so these can be
> > written. Send the patch to me or this mail list
> > against the latest audit
> > daemon code.
>
> Hum. I'll have to see what I can do.

Just write a function similar to format_raw in lib/libaudit.c. Around line 199 
in src/auditd-event.c is a switch statement & LF_RAW case. Just add another 
case to call your formatting function. The formatting function should malloc 
& write to a buffer that the caller will free later. That's all there is to 
it.

-Steve




More information about the Linux-audit mailing list