Re: auditd and CAP_AUDIT_READ

On Wed, 14 Nov 2018 19:57:07 -0500 Richard Guy Briggs <rgb(a)redhat.com&gt; wrote: > Hi Steve, > > In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities > check rather than uid") a switch was made from checking "getuid() != > 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via > audit_can_control() and audit_can_read(). > > Does auditd use the multicast socket? No. It uses the prime guaranteed delivery netlink connection. > If not, there is no need for it to check or have CAP_AUDIT_READ I thought that the prime audit connection requires a capability check to ensure a process without proper privilege does not replace the audit daemon...since that's now possible.