auditd and CAP_AUDIT_READ
Richard Guy Briggs
rgb at redhat.com
Thu Nov 15 00:57:07 UTC 2018
Hi Steve,
In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
check rather than uid") a switch was made from checking "getuid() != 0"
to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via audit_can_control()
and audit_can_read().
Does auditd use the multicast socket? If not, there is no need for it
to check or have CAP_AUDIT_READ.
Having audit_can_read() available in lib/libaudit.c is certainly useful
regardless for other potential libaudit users like systemd.
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list