[RFC] linux-2.6.10-auditfs-tc1.patch

Casey Schaufler casey at schaufler-ca.com
Mon Jan 24 19:26:11 UTC 2005


--- Steve Grubb <sgrubb at redhat.com> wrote:

> On Monday 24 January 2005 11:57, Casey Schaufler
> wrote:
> > If I have 6 capabilities but only need one
> > of them to perform an action the process list
> > does not identify the policy that is being
> > overridden.
> 
> Maybe this is a wording issue. In Linux, you start
> with capabilities and lose 
> them. You cannot override.

A posix capability gives the process the privilege
to override a system policy. A process with
CAP_DAC_READ in its effective set can override
the system DAC policy.

> > If I need 2 capabilities but only 
> > have one, the one that I don't have but needed
> > needs to be pointed out. 
> 
> I can see this being useful when writing software,
> but production systems 
> should have the capabilities set correctly at
> installation.

If everything could be counted on to work just
right then we wouldn't need an audit trail.

> > The capabilities required to perform an action
> will not 
> > be sent in concrete. For example, accessing
> > /a/file may require different capabilities
> depending on 
> > the mode of /a.
> 
> We are talking about posix capabilities, right?

Oh my, yes.

> They are bound to a process 
> and enforced on a syscall by the kernel. That *is*
> cast in concrete unless 
> you hack the kernel sources.

Yes. A syscall (e.g. open) may require more
than one capability, depending on the objects
involved and their security attributes. Or they
may require none. Whatever the case, the audit
record needs to indicate which of three statements
are true:

    - The action succeeded without use of privilege
    - The action succeeded, but only because it had
      some set of capabilities.
    - The action failed, but would have succeeded
      had it had some set of capabilities.

In either of the last two cases the capabilities
that were checked must be reported, at least
according to the evaluation team I dealt with.

Note that "the action failed, but not because
of the absence of capabilities" is not on the list.
This is the case that does not have to be audited.



=====
Casey Schaufler
casey at schaufler-ca.com


		
__________________________________ 
Do you Yahoo!? 
Yahoo! Mail - now with 250MB free storage. Learn more.
http://info.mail.yahoo.com/mail_250




More information about the Linux-audit mailing list