auditd and CAP_AUDIT_READ

Richard Guy Briggs rgb at redhat.com
Thu Nov 15 13:23:46 UTC 2018 

On 2018-11-15 09:51, Steve Grubb wrote:
> On Wed, 14 Nov 2018 19:57:07 -0500
> Richard Guy Briggs <rgb at redhat.com> wrote:
> 
> > Hi Steve,
> > 
> > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities
> > check rather than uid") a switch was made from checking "getuid() !=
> > 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via
> > audit_can_control() and audit_can_read().
> > 
> > Does auditd use the multicast socket?
> 
> No. It uses the prime guaranteed delivery netlink connection.

So all it needs is CAP_AUDIT_CONTROL as it did previously.  Other user
applications that write AUDIT_USER* messages need CAP_AUDIT_WRITE.

CAP_AUDIT_READ gates the bind function which is used to join a multicast
group (of which there is only one).

> > If not, there is no need for it to check or have CAP_AUDIT_READ
> 
> I thought that the prime audit connection requires a capability check
> to ensure a process without proper privilege does not replace the audit
> daemon...since that's now possible. Are there privilege checks for who
> can connect to the audit socket? Shouldn't that process also have
> CAP_AUDIT_READ since that is what it will be doing?

The only cap that will let a daemon be checked for replacement is
CAP_AUDIT_CONTROL.  CAP_AUDIT_READ is only used for the unreliable
reception of multicast audit log records.

The unicast socket is gated by CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE.
The multicast read-only unreliable socket is gated by CAP_AUDIT_READ.

> > Having audit_can_read() available in lib/libaudit.c is certainly
> > useful regardless for other potential libaudit users like systemd.
> 
> I have never tried to make libaudit work with multicast sockets because
> I'm against the whole concept.

In hindsight, so am I.  This was one of the first things I implemented
when I started working on audit with Eric's enthusiasm and encouragement.

> -Steve

- RGB

--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

More information about the Linux-audit mailing list