Re: [RFC] linux-2.6.10-auditfs-tc1.patch
On Friday 21 January 2005 20:19, Casey Schaufler wrote:
The Irix CAPP system (for example) uses
capabilities and yes, they go in the audit trail
along with an indication of which capabilities were
required to perform the action, if any.
Which capabilities? The capabilities of the process or the capability required
to successfully make the syscall? This would likely add a lot of text to the
message the kernel sends. I would have to say we can't do this unless there
is a certification requirement that we are trying to meet. Even then, maybe
something that's a bitmap might be all we can do.
This is probably a bit late in the discussion,
but have y'all considered using a tokenized audit
record format?
Yes. The audit program has a format_type configuration option so these can be
written. Send the patch to me or this mail list against the latest audit
daemon code.
-Steve Grubb