PATH records show fcaps
Serge E. Hallyn
serue at us.ibm.com
Mon Oct 20 20:01:24 UTC 2008
Quoting Eric Paris (eparis at redhat.com):
> ok, I thought you were complaining the pI didn't have cap_net_admin.
> The bug you spotted (I just can't read) was actually me just copy and
> pasting the wrong thing into this discussion.
Cool, just making sure.
> I think we all 'sorta' agree on what we want, I'll send 3 final patches
> in an hour or two when I'm happy they work properly...
>
> 1) log fP, fE, fI, fver in PATH records
> 2) new record to execve when fcaps increase pE or pP
> 3) new record to capset which records the arguments pid, pP, pI, pE.
Great, thanks.
-serge
More information about the Linux-audit
mailing list