From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Audit reporting Invalid argument Date: Mon, 16 May 2016 13:21:02 -0400 Message-ID: <20160516172102.GF18488@madcap2.tricolour.ca> References: <8FC6AD31395616439ECBCD98E071A87F4BF14ED7@G4W3202.americas.hpqcorp.net> <1581661.ndI2rhVsuG@x2> <8FC6AD31395616439ECBCD98E071A87F4BF15630@G4W3202.americas.hpqcorp.net> <1956741.kKb8qJBsiM@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <1956741.kKb8qJBsiM@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: "linux-audit@redhat.com" , "Bhagwat, Shriniketan Manjunath" List-Id: linux-audit@redhat.com On 16/05/16, Steve Grubb wrote: > On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote: > > > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL > > > > Are there any future plans to support enabling audit from non root user > > using CAP_AUDIT_CONTROL? > > You are the only person who has asked for it. I suppose it can be done in a > couple lines of code. But you still have the permissions of the directories > that hold the rules to correct. Easy to fix, but I think you might be fighting > the distribution's package manager which would set things back to root every > update. There is no kernel obstacle that I can see now. It used to depend on CAP_NET_ADMIN, I think, but that stuff has all been fixed. I can see applications for it, possibly even in containers down the road... > -Steve - RGB -- Richard Guy Briggs Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635