Re: [RFC] linux-2.6.10-auditfs-tc1.patch
--- Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday 21 January 2005 20:19, Casey Schaufler
wrote:
> The Irix CAPP system (for example) uses
> capabilities and yes, they go in the audit trail
> along with an indication of which capabilities
were
> required to perform the action, if any.
Which capabilities?
- The process capability set
- The set of capabilties that were
actually required
- In Irix you can get privilege by
either having the capabilty or by
being root. If you got privilege
not because you have the capability
but because you're root that is
indicated as well.
- If you don't get access the capabilty
that was checked that failed is noted.
The capabilities of the process
or the capability required
to successfully make the syscall? This would likely
add a lot of text to the
message the kernel sends.
Yes, it does. On the other hand, it allows you
to identify and filter based on the capability
involved. This is very important in an LSPP
system, where it is very important to keep an
eye on MAC violations.
I would have to say we
can't do this unless there
is a certification requirement that we are trying to
meet. Even then, maybe
something that's a bitmap might be all we can do.
A bitmap would suffice, although it might not be
very convinient.
> This is probably a bit late in the discussion,
> but have y'all considered using a tokenized audit
> record format?
Yes. The audit program has a format_type
configuration option so these can be
written. Send the patch to me or this mail list
against the latest audit
daemon code.
Hum. I'll have to see what I can do.
=====
Casey Schaufler
casey(a)schaufler-ca.com
__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250