[RFC] linux-2.6.10-auditfs-tc1.patch
Casey Schaufler
casey at schaufler-ca.com
Mon Jan 24 16:57:36 UTC 2005
--- Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday 24 January 2005 11:29, Casey Schaufler
> wrote:
> > > Which capabilities?
> >
> > - The process capability set
> > - The set of capabilties that were
> > actually required
>
> Both? The capabilities required should be cast in
> concrete and not
> configurable. Not sure what value this adds other
> than a convenience.
If I have 6 capabilities but only need one
of them to perform an action the process list
does not identify the policy that is being
overridden. If I need 2 capabilities but only
have one, the one that I don't have but needed
needs to be pointed out. The capabilities
required to perform an action will not be
sent in concrete. For example, accessing
/a/file may require different capabilities
depending on the mode of /a.
> In linux you can be root and not able to add
> capabilities or lose capabilities
> since you gave up that capability. So, I'm not sure
> if this is useful in this
> situation.
You're probably right.
> > > Yes. The audit program has a format_type
> > > configuration option so these can be
> > > written. Send the patch to me or this mail list
> > > against the latest audit
> > > daemon code.
> >
> > Hum. I'll have to see what I can do.
>
> Just write a function similar to format_raw in
> lib/libaudit.c. Around line 199
> in src/auditd-event.c is a switch statement & LF_RAW
> case. Just add another
> case to call your formatting function. The
> formatting function should malloc
> & write to a buffer that the caller will free later.
> That's all there is to
> it.
Thank you.
=====
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com
More information about the Linux-audit
mailing list