Hello all, i'm trying to implement hardened installation of auditbeat on host (running not from root, limiting exposed capacities via systemd AmbientCapacities/setcap). Auditbeat version is 8.17
If i use config option socket_type: multicast in config and set the following capacities CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_ADMIN, CAP_NET_RAW (testing the different sets of capacities related to connection to auditd multicast socket) and CAP_AUDIT_READ, CAP_AUDIT_CONTROL (enabling the actual read from auditd socket, AUDIT_CONTROL is needed for obtaining actual auditd state), auditbeat refuses to collect auditd logs with following error:
"message":"Failure receiving audit events","service.name":"auditbeat","error":{"message":"failed to enable auditing in the kernel: failed sending request: operation not permitted"}
But - documentation is clearly states that using socket_type = multicast auditbeat will only read audit events, without trying to write data to auditd socket (like defining own set of rules?)
Moreover, sourcecode of auditbeat regarding binding to multicast socket have comment that states "yes, we got an EPERM at that moment if process does not have CAP_AUDIT_CONTROL capability, but ok we will ignore it" (beats/auditbeat/module/auditd/audit_linux.go at main · elastic/beats · GitHub) - but in fact a) i'm explicitly give necessary cap and b) auditbeat does not ignore "absent" cap, but just refusing to read audit logs
If i read sources correctly, initClient() tries to manually enable audit subsystem (https://github.com/elastic/go-libaudit/blob/main/audit.go#L346), but is this really how it should be?
Perhaps my attempts are useless, and auditbeat must always be run under root 