From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-audit-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 87D9DC433F5
	for <linux-audit@archiver.kernel.org>; Wed,  2 Mar 2022 15:59:27 +0000 (UTC)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-371-faAQZKaEP-28-_46CGS9WQ-1; Wed, 02 Mar 2022 10:59:23 -0500
X-MC-Unique: faAQZKaEP-28-_46CGS9WQ-1
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 059D1180FD71;
	Wed,  2 Mar 2022 15:59:19 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 38BA77BCDA;
	Wed,  2 Mar 2022 15:59:18 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id E611F1809C98;
	Wed,  2 Mar 2022 15:59:15 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
	[10.11.54.2])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 222Fr5Qv012205 for <linux-audit@listman.util.phx.redhat.com>;
	Wed, 2 Mar 2022 10:53:06 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id EB61E40E80E5; Wed,  2 Mar 2022 15:53:05 +0000 (UTC)
Received: from mimecast-mx02.redhat.com
	(mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E619B40E80E2
	for <linux-audit@redhat.com>; Wed,  2 Mar 2022 15:53:05 +0000 (UTC)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
	[207.211.31.120])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C92CD805F51
	for <linux-audit@redhat.com>; Wed,  2 Mar 2022 15:53:05 +0000 (UTC)
Received: from mx5.worldline.com (mx5.worldline.com [80.78.4.155]) by
	relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	us-mta-137-3IE-KMl7MEeEEkm_W_CRQQ-1; Wed, 02 Mar 2022 10:53:03 -0500
X-MC-Unique: 3IE-KMl7MEeEEkm_W_CRQQ-1
From: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@worldline.com>
SENDER_GROUP: WORLDLINE_O365
X-IronPort-AV: E=Sophos;i="5.90,149,1643670000"; d="scan'208,217";a="31404035"
X-MGA-submission: =?us-ascii?q?MDHxzDtARrFPN824mKgUjgSl8pa0ZzjuMENWr7?=
	=?us-ascii?q?e20jZBL92szPfNqqGtcq0YDgM9JeBP++d5c2WBRmFg4TAVAc1UYnJEnu?=
	=?us-ascii?q?OFF38J9Qyxu0aWhGjz7j5RwrTg98AjVZ9ZHpNs13+TgaCG2uOgzV8gRe?=
	=?us-ascii?q?+0?=
Received: from mail-pr2fra01on0104.outbound.protection.outlook.com (HELO
	FRA01-PR2-obe.outbound.protection.outlook.com) ([104.47.24.104])
	by mx5.worldline.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
	02 Mar 2022 16:51:59 +0100
Received: from MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:e::22) by
	MR1P264MB2867.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:38::14) with
	Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
	15.20.5038.13; Wed, 2 Mar 2022 15:51:57 +0000
Received: from MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM
	([fe80::30dc:3b33:ccd2:b27a]) by MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM
	([fe80::30dc:3b33:ccd2:b27a%6]) with mapi id 15.20.5038.014;
	Wed, 2 Mar 2022 15:51:57 +0000
To: "'linux-audit@redhat.com'" <linux-audit@redhat.com>
Subject: Alert when auditd is stopped
Thread-Topic: Alert when auditd is stopped
Thread-Index: AdguTLbIo4NXRyaRQ1el+IAPwTI/JQ==
Date: Wed, 2 Mar 2022 15:51:57 +0000
Message-ID: <MRZP264MB1686221719EF75F53746E91EFA039@MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM>
Accept-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9410f361-5453-4277-f8a0-08d9fc6494d9
x-ms-traffictypediagnostic: MR1P264MB2867:EE_
x-microsoft-antispam-prvs: <MR1P264MB2867E08D3B5596749B2B15CAFA039@MR1P264MB2867.FRAP264.PROD.OUTLOOK.COM>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0
x-microsoft-antispam-message-info: 5BB5lN5hWostN8kPjg+JMFQv9zJJu4GQ8CgoYA1X0CPTl7zo1AhWqHwozNYEpfjqwDAPw9sNGmxiThSomTojbmtiMYHSH8nVhEczzI4pf7iMLLKXl5ishCZQy6sU27m4UIBwCB+EdAnzdZ1O2u4V9SsJoizVbasnw8GBX1JqvV/xn2ivcIdj3py4JkKtrSAh54T9O+/Q3B557wp1niMXR8HYZpeISv7AUmg2IAaFMIxRXt4qK2URgqhcuX3Z3y/cMLX+FYzeIjqkDcFuLO2yk8d8MCv/6eWrXKD9hIpRkQC0p8u/mGE9B1PkN3ps9X0mYr2/LL70v+xd4Gs/S/J1Oh4rXOqkzjAcqKBrpmpNQec27PpHbbXTQHeVEMnZjpOaoKFNSVDCzEDNTW1l1LZ6tRPXLbQFCh5EGpuM0uVNjZjkz9AhkUz4fNs6civ+7u+savXsR4VU1Fm0/6GVOkUS79Yxx93v3EeFDurDTGBcK+sKPZJ3ShJNyk4mw8bXhndbVI30ZOnKLJ+1Lr1z72KnNVkmZLXWRLLwFjJtvVuxAWIfpUZ8ZRx3fIQGOnSedTvc0jnV9LzQdpapbWJApXooVjBb7UHSUxwZ4Hb/CkBJsf2AOpoPN2xsAxhBYJzenG9CJxzaDwnpEhQkDg0+RUdtZZAavjw5MwQVcuHMsz4coTBCdcA20akVDtXipwkOQ7SWfmchDWjFrSJjgUmCFA40OT6/ELEwGlzodEwAZq/OZPg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM;
	PTR:; CAT:NONE;
	SFS:(13230001)(4636009)(366004)(71200400001)(316002)(8936002)(64756008)(66476007)(66556008)(66446008)(52536014)(8676002)(55016003)(5660300002)(26005)(6916009)(508600001)(38070700005)(86362001)(66946007)(76116006)(82960400001)(2906002)(9686003)(7696005)(55236004)(122000001)(6506007)(15650500001)(38100700002)(33656002)(66574015)(83380400001)(186003)(491001);
	DIR:OUT; SFP:1101
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?pj5nm44i/oL95TQ2WlQ4Xf7GGMmvLxF2A2c5dvOlbNsJb63FxImMqh2BaG3b?=
	=?us-ascii?Q?8ww+iYzHsHm0zwmqyHNYa1uihqdLln4bJScvVk4bdBBcuUVwYBWtEeP0c6OJ?=
	=?us-ascii?Q?Jp+Lli8zljNywLYrs7CUEF9IqHvr3QTFB47uu7qqzay34bO8LDvM7SpBJlT1?=
	=?us-ascii?Q?OGFnrdRK5PZ6igXK5PRqi/sT7cp7owqwBACi7RY3AynmGQDJa8G37mMsT19i?=
	=?us-ascii?Q?UvhfH0eiNFbw9GuNOzGg2lytFkf4oPm7XUGeANuhBR6iSibltvg1Bbn00E0h?=
	=?us-ascii?Q?FVt/FkA2NaJAWerhp1xSDujfy1Tcj9YHISN9Wgfj5dpGQK9Yhk7F63wMHSM9?=
	=?us-ascii?Q?nN4XwF1cQ60LqIpuM8l7NxxDYTn0sxUcfVPhXQzoezQs7k+pdpZ++Zabugxa?=
	=?us-ascii?Q?z2Uzu/CZa9InT8pZ6ru1+ReTzV5KKxtO9m9K6OfJeQzVYRdftukZr/gKMvhU?=
	=?us-ascii?Q?dfyOgk9uxuO9faOJznQGY/tpv0vbNVQ+t7DgXoSjXMGVgC/bY2hGdWMx0vEK?=
	=?us-ascii?Q?0xVf9GWToYfjELCM0qyVrwJc1tK5/NKJynOkHL976zHSZWtiitkarX0/4nG0?=
	=?us-ascii?Q?uEMYO+k6DSbM+lY2O4oLeEOSyDEKgt51wwdURplz56DZaQApd6CgV94gvQEG?=
	=?us-ascii?Q?9b5qVKrQIGdL9oIB7Ss+pr/MeZxxb9mmML/W2dkbP2usmDLqSEzMMJ3Y4Ads?=
	=?us-ascii?Q?oIS+8Fc1dd56F1YbVw6byJl2+qSD3Vta+drzgRVCHI380GQK06RVMOstOdAT?=
	=?us-ascii?Q?4oCfhFCE0VCBOqxxKlqOuyZvTqx/Uc7du4nvQGPVclnD6A3I8Owx+v0DhcJ0?=
	=?us-ascii?Q?TCl7Qt/jWUCME53QDqiDlak5sPW0QKbXkTkzQ8tvpA0P2kG3e7qdPGnXdNt5?=
	=?us-ascii?Q?M3atosn7LPnz0L1jKlF6HsiAjUDaddRsX/y4REJqLgAsLpGnvFJzMdzhmCiI?=
	=?us-ascii?Q?jI8HAZANWLNwyifiyKnKA6e/SIi2B8GspOEr8HWILwXBBzfVCARc/6BrC6Kr?=
	=?us-ascii?Q?Anyj5eh58oncuflkIMTPS82D0IfR66p/0UtIF6NMpt6wlCpOnCMVqT6RKIwi?=
	=?us-ascii?Q?w6c0K+MZVq2OxofQDnqsrkeZCbnLlLLHLSI9zv3MRpqlec4THCNC9KF8XeC3?=
	=?us-ascii?Q?t3Lkqz/3fKPCPsyCYXhPRyNvzR54uCXgfzvB4JhsXs8oG+yltHch/9xnSrbQ?=
	=?us-ascii?Q?aHS7/Zdz0TfUcRbwKJ2xbBaezRNTJpifpZF7gMFQHrHgZn7P2svs7b+yJO7d?=
	=?us-ascii?Q?AICW2vdf0S4bka+Yd5UnwD+QtatVzK64v3l55ob7nHjLKYQAq6cKiV7tQGjP?=
	=?us-ascii?Q?eJn/dVV5ztiTYuWyN18zE8Y9ZoY8BY++vBl5UVJLI4kCmuYQX16HhsVknKLc?=
	=?us-ascii?Q?sK98fZOK4uZ72IaGctV6mTInTZKAsEODX1f24qtmW2Ms5yMRjebMyGTbOGTF?=
	=?us-ascii?Q?ygaZfIXwWR4Hk+aNbRkEVM7NJ4b81pRlVpMGwjwY+OLsecMoVRhwr50hAXLK?=
	=?us-ascii?Q?CU7KqfPdMEd8EZygeLmWxWpfnvTX3kI6m8Hg9ajak41sUIiiKQVjtEYtJoHd?=
	=?us-ascii?Q?iwMj/EYaXvK8EjSz/yYHwAxiOSkyCchGJdNDUczEmhFiAPvF1+KxdIHXwmbZ?=
	=?us-ascii?Q?7bsZXEey3EdgnylgjhvSfGo6es5pxRDfXQVgYQzO5qYAmhzLQ6tsMRvqttss?=
	=?us-ascii?Q?4zmj13VbSPPI/GTdZNJHJSXSs+jtOkjOUxVMeZ097ELjR8iK8sFE1sG3Vcsj?=
	=?us-ascii?Q?akTDE51jRQ=3D=3D?=
MIME-Version: 1.0
X-OriginatorOrg: equensworldline.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 9410f361-5453-4277-f8a0-08d9fc6494d9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2022 15:51:57.2939 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fda9decf-e892-43ac-9d9f-1a493f9f98d0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M2Soo77Nr4knjiK4jRqxFg+p9ByQ3VXVELcgwUkDbGeQ7jvvQUxAJLz6/tDkfKffNLsw3WH4FsAhmFXFkB8RSo+kpTiimFpk0CJxJk0wd6lPRdE/tpX1SE+s4AQ7g/Sp
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MR1P264MB2867
X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection
	Definition; Similar Internal Domain=false;
	Similar Monitored External Domain=false;
	Custom External Domain=false; Mimecast External Domain=false;
	Newly Observed Domain=false; Internal User Name=false;
	Custom Display Name List=false; Reply-to Address Mismatch=false;
	Targeted Threat Dictionary=false;
	Mimecast Threat Dictionary=false; Custom Threat Dictionary=false
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2
X-loop: linux-audit@redhat.com
X-Mailman-Approved-At: Wed, 02 Mar 2022 10:59:14 -0500
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: multipart/mixed; boundary="===============4442589832622149652=="

--===============4442589832622149652==
Content-Language: en-US
Content-Type: multipart/alternative;
	boundary="_000_MRZP264MB1686221719EF75F53746E91EFA039MRZP264MB1686FRAP_"

--_000_MRZP264MB1686221719EF75F53746E91EFA039MRZP264MB1686FRAP_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi list,
During an audit, we had a question about stopping auditd.
What will be the best way either to get an alert when auditd is stopped ?
Is it possible  to forbid altogether to stop auditd ?
Can we still stop auditd when the rules are made immutable ?

Any help will be appreciated
Philippe
Worldline, equensWorldline and Ingenico are registered trademarks and trade=
 names owned by the Worldline Group. This e-mail and any documents attached=
 are confidential and intended solely for the addressee. If you are not the=
 intended recipient of this e-mail, you are not authorized to copy, disclos=
e, use or retain it. Please notify the sender immediately and delete this e=
-mail (including any attachments) from your systems. As e-mails may be inte=
rcepted, amended or lost, they are not secure. Worldline and its subsidiari=
es therefore cannot accept liability for any errors in their content. Altho=
ugh the Worldline Group endeavours to maintain a virus-free network, we do =
not warrant that this e-mail is virus-free and do not accept liability for =
any damages or losses resulting from any transmitted virus if any. The risk=
s are deemed to be accepted by anyone who communicates with Worldline or it=
s subsidiaries by e-mail.

--_000_MRZP264MB1686221719EF75F53746E91EFA039MRZP264MB1686FRAP_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
=09{font-family:"Cambria Math";
=09panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
=09{font-family:Calibri;
=09panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
=09{margin:0cm;
=09font-size:11.0pt;
=09font-family:"Calibri",sans-serif;}
span.EmailStyle17
=09{mso-style-type:personal-compose;
=09font-family:"Calibri",sans-serif;
=09color:windowtext;}
.MsoChpDefault
=09{mso-style-type:export-only;
=09font-family:"Calibri",sans-serif;}
@page WordSection1
=09{size:612.0pt 792.0pt;
=09margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
=09{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72" style=3D"word-wrap:=
break-word">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">Hi list,<o:p></o:p></p>
<p class=3D"MsoNormal">During an audit, we had a question about stopping au=
ditd.<o:p></o:p></p>
<p class=3D"MsoNormal">What will be the best way either to get an alert whe=
n auditd is stopped ?<o:p></o:p></p>
<p class=3D"MsoNormal">Is it possible &nbsp;to forbid altogether to stop au=
ditd ?<o:p></o:p></p>
<p class=3D"MsoNormal">Can we still stop auditd when the rules are made imm=
utable ?<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Any help will be appreciated<o:p></o:p></p>
<p class=3D"MsoNormal">Philippe<o:p></o:p></p>
</div>
Worldline, equensWorldline and Ingenico are registered trademarks and trade=
 names owned by the Worldline Group. This e-mail and any documents attached=
 are confidential and intended solely for the addressee. If you are not the=
 intended recipient of this e-mail,
 you are not authorized to copy, disclose, use or retain it. Please notify =
the sender immediately and delete this e-mail (including any attachments) f=
rom your systems. As e-mails may be intercepted, amended or lost, they are =
not secure. Worldline and its subsidiaries
 therefore cannot accept liability for any errors in their content. Althoug=
h the Worldline Group endeavours to maintain a virus-free network, we do no=
t warrant that this e-mail is virus-free and do not accept liability for an=
y damages or losses resulting from
 any transmitted virus if any. The risks are deemed to be accepted by anyon=
e who communicates with Worldline or its subsidiaries by e-mail.
</body>
</html>

--_000_MRZP264MB1686221719EF75F53746E91EFA039MRZP264MB1686FRAP_--

--===============4442589832622149652==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
--===============4442589832622149652==--