[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditing file based capabilities

On Mon, 2008-10-13 at 09:04 -0500, Serge E. Hallyn wrote:
> Except I think setcap should also be audited, so that if a task receives
> some inheritable capabilities, you can tell from the logs when that
> happened and which executable did it.
> Do you already have a patch for this?
> -serge

I think it already happens right (?):

node=hugo type=USER_CMD msg=audit(10/13/2008 10:13:33.616:27271) : user
pid=5202 uid=root auid=lenny subj=user_u:user_r:user_t:s0-s15:c0.c1023
msg='cwd=/home/lenny/src2/OED/test/audit cmd=/usr/sbin/setcap
cap_audit_write+pe audit-test (terminal=pts/4 res=success)' 
node=hugo type=PATH msg=audit(10/13/2008 10:13:33.617:27272) : item=0
name=audit-test inode=820271 dev=fd:00 mode=file,755 ouid=lenny
ogid=lenny rdev=00:00 obj=user_u:object_r:user_home_t:s0 
node=hugo type=CWD msg=audit(10/13/2008 10:13:33.617:27272) :
node=hugo type=SYSCALL msg=audit(10/13/2008 10:13:33.617:27272) :
arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fff68c57a2a
a1=35a1402b44 a2=7fff68c55b20 a3=14 items=1 ppid=11723 pid=5202
auid=lenny uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts4 ses=215 comm=setcap exe=/usr/sbin/setcap
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null) 
node=hugo type=AVC msg=audit(10/13/2008 10:13:33.617:27272) : avc:
denied  { setfcap } for  pid=5202 comm=setcap
tcontext=user_u:user_r:user_t:s0-s15:c0.c1023 tclass=capability 


LC (Lenny) Bruzenak
lenny magitekltd com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]