Re: auditd and CAP_AUDIT_READ

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: auditd and CAP_AUDIT_READ
Date: Thu, 15 Nov 2018 09:51:40 +0000	[thread overview]
Message-ID: <20181115095140.35cb44fa@ivy-bridge> (raw)
In-Reply-To: <20181115005707.rw6rurt3sh3rmiie@madcap2.tricolour.ca>

On Wed, 14 Nov 2018 19:57:07 -0500
Richard Guy Briggs <rgb@redhat.com> wrote:

> Hi Steve,
> 
> In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
> check rather than uid") a switch was made from checking "getuid() !=
> 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via
> audit_can_control() and audit_can_read().
> 
> Does auditd use the multicast socket?

No. It uses the prime guaranteed delivery netlink connection.

> If not, there is no need for it to check or have CAP_AUDIT_READ

I thought that the prime audit connection requires a capability check
to ensure a process without proper privilege does not replace the audit
daemon...since that's now possible. Are there privilege checks for who
can connect to the audit socket? Shouldn't that process also have
CAP_AUDIT_READ since that is what it will be doing?

> Having audit_can_read() available in lib/libaudit.c is certainly
> useful regardless for other potential libaudit users like systemd.

I have never tried to make libaudit work with multicast sockets because
I'm against the whole concept.

-Steve

next prev parent reply	other threads:[~2018-11-15  9:51 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-15  0:57 auditd and CAP_AUDIT_READ Richard Guy Briggs
2018-11-15  9:51 ` Steve Grubb [this message]
2018-11-15 13:07   ` Paul Moore
2018-11-15 13:23   ` Richard Guy Briggs
2018-11-15 23:45     ` Steve Grubb
2018-11-16  2:11       ` Richard Guy Briggs
2018-11-17 17:30         ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181115095140.35cb44fa@ivy-bridge \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=rgb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox