• Richard Guy Briggs's avatar
    audit: add netlink multicast group for log read · 451f9216
    Richard Guy Briggs authored
    Add a netlink multicast socket with one group to kaudit for "best-effort"
    delivery to read-only userspace clients such as systemd, in addition to the
    existing bidirectional unicast auditd userspace client.
    
    Currently, auditd is intended to use the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
    capabilities, but actually uses CAP_NET_ADMIN.  The CAP_AUDIT_READ capability
    is added for use by read-only AUDIT_NLGRP_READLOG netlink multicast group
    clients to the kaudit subsystem.
    
    This will safely give access to services such as systemd to consume audit logs
    while ensuring write access remains restricted for integrity.
    Signed-off-by: default avatarRichard Guy Briggs <rgb@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    451f9216
audit.c 52.8 KB