Re: auditing daemon activity (restart, stop, start)

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday, September 29, 2010 11:01:29 am romain.pelissier@bell.ca wrote:
> I am wondering is there is a way to monitor with auditd deamon activity
> like a start and stop. 

We recently patched systemd to record this information. Otherwise, you can add 
a file watch on the individual daemon init scripts and see someone accessing 
the file, but you don't know what they have attempted. Could just be status.


> I see in the logs of auditd that some activities
> with crond and/or pam are logged like :
> 
> msg='PAM session close: user=root exe="/usr/sbin/crond"
> ...
> msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"
> 
> and I am wondering if I can catch a user that trying to stop or start a
> daemon like syslog-ng.

Not without patching the init program. You need something with privilege and 
that knows what is going on in order to do that.


> Also, why if that I have no rules defined, auditd logs those things anyway?

because auditd enables the audit system. If the audit system was not enabled, 
you would not get anything. You also have to understand that the rules are for 
kernel events like accessing a file or making a syscall. It cannot decide that 
pam should start sending anything or cron or sshd. So, all daemons and 
security apps send events because they can't tell if they are needed or not. 
But if you don't want some kinds of events, you can always use the exclude 
filter.

-Steve