[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditing file based capabilities



Quoting Steve Grubb (sgrubb redhat com):
> On Monday 13 October 2008 10:04:27 Serge E. Hallyn wrote:
> > Except I think setcap should also be audited, so that if a task receives
> > some inheritable capabilities, you can tell from the logs when that
> > happened and which executable did it.
> >
> > Do you already have a patch for this?
> 
> Would an audit rule for setxattrs cover the setting?

Sorry, I meant capset :)

A task changing its capability sets.  Particularly if it adds to pI (as
login/pam_cap will likely do).

-serge


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]