Re: Alert when auditd is stopped
Hello, On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote: > During an audit, we had a question about stopping auditd. > What will be the best way either to get an alert when auditd is stopped ? Since by now everything probably uses systemd, I think you can add an OnFailure= clause to the auditd.service file that starts a one shot service of that you write which sends you the alert however you need it sent. > Is it possible to forbid altogether to stop auditd ? The intended systemd configuration does not allow stopping auditd by dbus. It is intended to be controlled by the service command. The stop script sends a signal to auditd. So, removing the script won't work since any root user can send the TERM or KILL signal. I don't think systemd can limit signals received by a daemon. But it can restart a daemon if it fails. Auditd places an ignore on all signals except the ones it expects such as TERM. The KILL and STOP signals cannot be blocked. > Can we still stop auditd when the rules are made immutable ? Yes. The rules are in the kernel. Making them immutable tells the kernel not to accept any more rules. It doesn't affect auditd. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Alert when auditd is stopped
Hi list, During an audit, we had a question about stopping auditd. What will be the best way either to get an alert when auditd is stopped ? Is it possible to forbid altogether to stop auditd ? Can we still stop auditd when the rules are made immutable ? Any help will be appreciated Philippe Worldline, equensWorldline and Ingenico are registered trademarks and trade names owned by the Worldline Group. This e-mail and any documents attached are confidential and intended solely for the addressee. If you are not the intended recipient of this e-mail, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this e-mail (including any attachments) from your systems. As e-mails may be intercepted, amended or lost, they are not secure. Worldline and its subsidiaries therefore cannot accept liability for any errors in their content. Although the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this e-mail is virus-free and do not accept liability for any damages or losses resulting from any transmitted virus if any. The risks are deemed to be accepted by anyone who communicates with Worldline or its subsidiaries by e-mail. -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit