[opensuse-factory] does auditd supports auditing process capabilities ?
Hi: I cannot find any reference about $SUBJECT, is it possible to use auditd for getting logs about what capabilities a process X requires ? I have found a kernel module called "capable_probe" but it is not working nowdays. Thanks for any pointers :) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hello, Am Mittwoch, 14. Dezember 2011 schrieb Cristian Rodríguez:
I cannot find any reference about $SUBJECT, is it possible to use auditd for getting logs about what capabilities a process X requires ?
The easiest way I know: Create an AppArmor profile (with aa-genprof) for the process you want to audit ;-) It will include all used capabilities and also all files the process accesses. (For bonus points, submit the profile to bugzilla (component AppArmor) or upstream.) There is probably a way to let auditd log capabilities without generating an AppArmor profile, but I don't know how to do this ;-) Regards, Christian Boltz -- SYNOPSIS glimpse - [almost all letters] pattern -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Christian Boltz -
Cristian Rodríguez