* Alert when auditd is stopped
@ 2022-03-02 15:51 MAUPERTUIS, PHILIPPE
2022-03-02 17:11 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: MAUPERTUIS, PHILIPPE @ 2022-03-02 15:51 UTC (permalink / raw)
To: 'linux-audit@redhat.com'
[-- Attachment #1.1: Type: text/plain, Size: 1230 bytes --]
Hi list,
During an audit, we had a question about stopping auditd.
What will be the best way either to get an alert when auditd is stopped ?
Is it possible to forbid altogether to stop auditd ?
Can we still stop auditd when the rules are made immutable ?
Any help will be appreciated
Philippe
Worldline, equensWorldline and Ingenico are registered trademarks and trade names owned by the Worldline Group. This e-mail and any documents attached are confidential and intended solely for the addressee. If you are not the intended recipient of this e-mail, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail (including any attachments) from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Worldline and its subsidiaries therefore cannot accept liability for any errors in their content. Although the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this e-mail is virus-free and do not accept liability for any damages or losses resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail.
[-- Attachment #1.2: Type: text/html, Size: 2949 bytes --]
[-- Attachment #2: Type: text/plain, Size: 106 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Alert when auditd is stopped
2022-03-02 15:51 Alert when auditd is stopped MAUPERTUIS, PHILIPPE
@ 2022-03-02 17:11 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2022-03-02 17:11 UTC (permalink / raw)
To: 'linux-audit@redhat.com'; +Cc: MAUPERTUIS, PHILIPPE
Hello,
On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote:
> During an audit, we had a question about stopping auditd.
> What will be the best way either to get an alert when auditd is stopped ?
Since by now everything probably uses systemd, I think you can add an
OnFailure= clause to the auditd.service file that starts a one shot service
of that you write which sends you the alert however you need it sent.
> Is it possible to forbid altogether to stop auditd ?
The intended systemd configuration does not allow stopping auditd by dbus. It
is intended to be controlled by the service command. The stop script sends a
signal to auditd. So, removing the script won't work since any root user can
send the TERM or KILL signal. I don't think systemd can limit signals
received by a daemon. But it can restart a daemon if it fails. Auditd places
an ignore on all signals except the ones it expects such as TERM. The KILL
and STOP signals cannot be blocked.
> Can we still stop auditd when the rules are made immutable ?
Yes. The rules are in the kernel. Making them immutable tells the kernel not
to accept any more rules. It doesn't affect auditd.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-03-02 17:11 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-02 15:51 Alert when auditd is stopped MAUPERTUIS, PHILIPPE
2022-03-02 17:11 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.