lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 20 Oct 2014 19:33:39 -0400
From:	Steve Grubb <>
To:	Paul Moore <>
Cc:	Eric Paris <>,
	Richard Guy Briggs <>,,,
Subject: Re: [PATCH V5 0/5] audit by executable name

On Monday, October 20, 2014 07:02:33 PM Paul Moore wrote:
> On Monday, October 20, 2014 06:47:27 PM Eric Paris wrote:
> > On Mon, 2014-10-20 at 16:25 -0400, Steve Grubb wrote:
> > > On Thursday, October 02, 2014 11:06:51 PM Richard Guy Briggs wrote:
> > > > This is a part of Peter Moody, my and Eric Paris' work to implement
> > > > audit by executable name.
> > > 
> > > Does this patch set define an AUDIT_VERSION_SOMETHING and then set
> > > AUDIT_VERSION_LATEST to it? If not, I need one to tell if the kernel
> > > supports it when issuing commands. Also, if its conceivable that kernels
> > > may pick and choose what features could be backported to a curated
> > > kernel, should AUDIT_VERSION_ be a number that is incremented or a bit
> > > mask?
> > 
> > Right now the value is 2. So this is your last hope if you want to make
> > it a bitmask. I'll leave that up to paul/richard to (over) design.
> Audit is nothing if not over-designed.  I want to make sure we're consistent
> with the previous design methodologies ;)
> I've been thinking about this for about the past half-hour while I've been
> going through some other mail and I'm not really enthused about using the
> version number to encode capabilities.  What sort of problems would we have
> if we introduced a new audit netlink command to query the kernel for audit
> capabilities?

I thought that is what we were getting in this patch:

As I understood it, I send an AUDIT_GET command on netlink and then look in 
status.version to see what we have. I really think that in the mainline 
kernel, there will be a steady increment of capabilities. However, for 
distributions, they may want to pick and choose which capabilities to backport 
to their shipping kernel. Meaning in practice, a bitmap may be better to allow 
cherry picking capabilities and user space being able to make informed 

I really don't mind if this is done by a new netlink command (but if we do, 
what happens to status.version?) or if we just keep going with status.version. 
Just tell me which it is.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists