On Thu, Nov 15, 2018 at 5:22 AM Steve Grubb <[email protected]> wrote: > On Wed, 14 Nov 2018 19:57:07 -0500 > Richard Guy Briggs <[email protected]> wrote: > > > Hi Steve, > > > > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities > > check rather than uid") a switch was made from checking "getuid() != > > 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via > > audit_can_control() and audit_can_read(). > > > > Does auditd use the multicast socket? > > No. It uses the prime guaranteed delivery netlink connection. > > > If not, there is no need for it to check or have CAP_AUDIT_READ > > I thought that the prime audit connection requires a capability check > to ensure a process without proper privilege does not replace the audit > daemon...since that's now possible.
Establishing an audit daemon connection requires CAP_AUDIT_CONTROL. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
