Re: auditing file based capabilities
On Mon, 2008-10-13 at 09:04 -0500, Serge E. Hallyn wrote:
...
Except I think setcap should also be audited, so that if a task receives
some inheritable capabilities, you can tell from the logs when that
happened and which executable did it.
Do you already have a patch for this?
-serge
I think it already happens right (?):
node=hugo type=USER_CMD msg=audit(10/13/2008 10:13:33.616:27271) : user
pid=5202 uid=root auid=lenny subj=user_u:user_r:user_t:s0-s15:c0.c1023
msg='cwd=/home/lenny/src2/OED/test/audit cmd=/usr/sbin/setcap
cap_audit_write+pe audit-test (terminal=pts/4 res=success)'
----
node=hugo type=PATH msg=audit(10/13/2008 10:13:33.617:27272) : item=0
name=audit-test inode=820271 dev=fd:00 mode=file,755 ouid=lenny
ogid=lenny rdev=00:00 obj=user_u:object_r:user_home_t:s0
node=hugo type=CWD msg=audit(10/13/2008 10:13:33.617:27272) :
cwd=/home/lenny/src2/OED/test/audit
node=hugo type=SYSCALL msg=audit(10/13/2008 10:13:33.617:27272) :
arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fff68c57a2a
a1=35a1402b44 a2=7fff68c55b20 a3=14 items=1 ppid=11723 pid=5202
auid=lenny uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts4 ses=215 comm=setcap exe=/usr/sbin/setcap
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null)
node=hugo type=AVC msg=audit(10/13/2008 10:13:33.617:27272) : avc:
denied { setfcap } for pid=5202 comm=setcap
capability=scontext=user_u:user_r:user_t:s0-s15:c0.c1023
tcontext=user_u:user_r:user_t:s0-s15:c0.c1023 tclass=capability
LCB.
--
LC (Lenny) Bruzenak
lenny(a)magitekltd.com