auditd and CAP_AUDIT_READ

Paul Moore paul at paul-moore.com
Thu Nov 15 13:07:43 UTC 2018


On Thu, Nov 15, 2018 at 5:22 AM Steve Grubb <sgrubb at redhat.com> wrote:
> On Wed, 14 Nov 2018 19:57:07 -0500
> Richard Guy Briggs <rgb at redhat.com> wrote:
>
> > Hi Steve,
> >
> > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
> > check rather than uid") a switch was made from checking "getuid() !=
> > 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via
> > audit_can_control() and audit_can_read().
> >
> > Does auditd use the multicast socket?
>
> No. It uses the prime guaranteed delivery netlink connection.
>
> > If not, there is no need for it to check or have CAP_AUDIT_READ
>
> I thought that the prime audit connection requires a capability check
> to ensure a process without proper privilege does not replace the audit
> daemon...since that's now possible.

Establishing an audit daemon connection requires CAP_AUDIT_CONTROL.

-- 
paul moore
www.paul-moore.com




More information about the Linux-audit mailing list