Linux-audit Archive on lore.kernel.org
 help / color / Atom feed
* How to confirm AUDITD is immutable
@ 2020-10-14 18:30 warron.french
  2020-10-14 18:44 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: warron.french @ 2020-10-14 18:30 UTC (permalink / raw)
  To: Linux Audit

[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]

Hello, I just wanted to confirm for my memory that if I wanted to confirm
that the auditd process running on my system was configured correctly and
intended to be
*immutable (*setting *-e 2*) I would do so easily by executing:

*auditctl  -s*

When I execute that command I get back in the results that have:
*enabled 1*
*loginuid_immutable 0 unlocked*
*among a few other lines.*

Shouldn't I actually see *enabled 2*?
I have in one of our .rules files under /etc/audit/rules.d/ the syntax
"-e 2".


Thanks,
--------------------------
Warron French

[-- Attachment #1.2: Type: text/html, Size: 1061 bytes --]

[-- Attachment #2: Type: text/plain, Size: 102 bytes --]

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: How to confirm AUDITD is immutable
  2020-10-14 18:30 How to confirm AUDITD is immutable warron.french
@ 2020-10-14 18:44 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-10-14 18:44 UTC (permalink / raw)
  To: Linux Audit

On Wednesday, October 14, 2020 2:30:48 PM EDT warron.french wrote:
> Hello, I just wanted to confirm for my memory that if I wanted to confirm
> that the auditd process running on my system was configured correctly and
> intended to be
> *immutable (*setting *-e 2*) I would do so easily by executing:
> 
> *auditctl -s*
> 
> When I execute that command I get back in the results that have:
> *enabled 1*
> *loginuid_immutable 0 unlocked*
> *among a few other lines.*
> 
> Shouldn't I actually see *enabled 2*?

That's what I get.

# auditctl -s
enabled 2


> I have in one of our .rules files under /etc/audit/rules.d/ the syntax
> "-e 2".

I'd copy 99-finalize.rules to rules.d and uncomment the only rule in the file. 
It has to be last. Although I have no idea why what you have isn't working 
unless its not getting picked up by augenrules.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-14 18:30 How to confirm AUDITD is immutable warron.french
2020-10-14 18:44 ` Steve Grubb

Linux-audit Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-audit/0 linux-audit/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-audit linux-audit/ https://lore.kernel.org/linux-audit \
		linux-audit@redhat.com
	public-inbox-index linux-audit

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/com.redhat.linux-audit


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git