On 2018-11-15 09:51, Steve Grubb wrote: > On Wed, 14 Nov 2018 19:57:07 -0500 > Richard Guy Briggs <[email protected]> wrote: > > > Hi Steve, > > > > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities > > check rather than uid") a switch was made from checking "getuid() != > > 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via > > audit_can_control() and audit_can_read(). > > > > Does auditd use the multicast socket? > > No. It uses the prime guaranteed delivery netlink connection.
So all it needs is CAP_AUDIT_CONTROL as it did previously. Other user applications that write AUDIT_USER* messages need CAP_AUDIT_WRITE. CAP_AUDIT_READ gates the bind function which is used to join a multicast group (of which there is only one). > > If not, there is no need for it to check or have CAP_AUDIT_READ > > I thought that the prime audit connection requires a capability check > to ensure a process without proper privilege does not replace the audit > daemon...since that's now possible. Are there privilege checks for who > can connect to the audit socket? Shouldn't that process also have > CAP_AUDIT_READ since that is what it will be doing? The only cap that will let a daemon be checked for replacement is CAP_AUDIT_CONTROL. CAP_AUDIT_READ is only used for the unreliable reception of multicast audit log records. The unicast socket is gated by CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE. The multicast read-only unreliable socket is gated by CAP_AUDIT_READ. > > Having audit_can_read() available in lib/libaudit.c is certainly > > useful regardless for other potential libaudit users like systemd. > > I have never tried to make libaudit work with multicast sockets because > I'm against the whole concept. In hindsight, so am I. This was one of the first things I implemented when I started working on audit with Eric's enthusiasm and encouragement. > -Steve - RGB -- Richard Guy Briggs <[email protected]> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
