From: LC Bruzenak <lenny@magitekltd.com>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Linux Audit <linux-audit@redhat.com>
Subject: Re: auditing file based capabilities
Date: Mon, 13 Oct 2008 10:25:15 -0500 [thread overview]
Message-ID: <1223911515.6868.145.camel@homeserver> (raw)
In-Reply-To: <20081013140427.GC21812@us.ibm.com>
On Mon, 2008-10-13 at 09:04 -0500, Serge E. Hallyn wrote:
...
>
> Except I think setcap should also be audited, so that if a task receives
> some inheritable capabilities, you can tell from the logs when that
> happened and which executable did it.
>
> Do you already have a patch for this?
>
> -serge
I think it already happens right (?):
node=hugo type=USER_CMD msg=audit(10/13/2008 10:13:33.616:27271) : user
pid=5202 uid=root auid=lenny subj=user_u:user_r:user_t:s0-s15:c0.c1023
msg='cwd=/home/lenny/src2/OED/test/audit cmd=/usr/sbin/setcap
cap_audit_write+pe audit-test (terminal=pts/4 res=success)'
----
node=hugo type=PATH msg=audit(10/13/2008 10:13:33.617:27272) : item=0
name=audit-test inode=820271 dev=fd:00 mode=file,755 ouid=lenny
ogid=lenny rdev=00:00 obj=user_u:object_r:user_home_t:s0
node=hugo type=CWD msg=audit(10/13/2008 10:13:33.617:27272) :
cwd=/home/lenny/src2/OED/test/audit
node=hugo type=SYSCALL msg=audit(10/13/2008 10:13:33.617:27272) :
arch=x86_64 syscall=setxattr success=yes exit=0 a0=7fff68c57a2a
a1=35a1402b44 a2=7fff68c55b20 a3=14 items=1 ppid=11723 pid=5202
auid=lenny uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=pts4 ses=215 comm=setcap exe=/usr/sbin/setcap
subj=user_u:user_r:user_t:s0-s15:c0.c1023 key=(null)
node=hugo type=AVC msg=audit(10/13/2008 10:13:33.617:27272) : avc:
denied { setfcap } for pid=5202 comm=setcap
capability=scontext=user_u:user_r:user_t:s0-s15:c0.c1023
tcontext=user_u:user_r:user_t:s0-s15:c0.c1023 tclass=capability
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
prev parent reply other threads:[~2008-10-13 15:25 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-13 11:15 auditing file based capabilities Steve Grubb
2008-10-13 14:04 ` Serge E. Hallyn
2008-10-13 15:21 ` Steve Grubb
2008-10-13 15:42 ` Serge E. Hallyn
2008-10-13 16:53 ` Steve Grubb
2008-10-13 15:25 ` LC Bruzenak [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1223911515.6868.145.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.