Re: auditing file based capabilities
Quoting Steve Grubb (sgrubb(a)redhat.com):
On Monday 13 October 2008 10:04:27 Serge E. Hallyn wrote:
> Except I think setcap should also be audited, so that if a task receives
> some inheritable capabilities, you can tell from the logs when that
> happened and which executable did it.
>
> Do you already have a patch for this?
Would an audit rule for setxattrs cover the setting?
Sorry, I meant capset :)
A task changing its capability sets. Particularly if it adds to pI (as
login/pam_cap will likely do).
-serge