* auditing daemon activity (restart, stop, start)
@ 2010-09-29 15:01 romain.pelissier
2010-09-30 21:58 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: romain.pelissier @ 2010-09-29 15:01 UTC (permalink / raw)
To: linux-audit
Hi,
I am wondering is there is a way to monitor with auditd deamon activity like a start and stop.
I see in the logs of auditd that some activities with crond and/or pam are logged like :
msg='PAM session close: user=root exe="/usr/sbin/crond"
...
msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"
and I am wondering if I can catch a user that trying to stop or start a daemon like syslog-ng.
Also, why if that I have no rules defined, auditd logs those things anyway?
Thanks
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: auditing daemon activity (restart, stop, start)
2010-09-29 15:01 auditing daemon activity (restart, stop, start) romain.pelissier
@ 2010-09-30 21:58 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2010-09-30 21:58 UTC (permalink / raw)
To: linux-audit
On Wednesday, September 29, 2010 11:01:29 am romain.pelissier@bell.ca wrote:
> I am wondering is there is a way to monitor with auditd deamon activity
> like a start and stop.
We recently patched systemd to record this information. Otherwise, you can add
a file watch on the individual daemon init scripts and see someone accessing
the file, but you don't know what they have attempted. Could just be status.
> I see in the logs of auditd that some activities
> with crond and/or pam are logged like :
>
> msg='PAM session close: user=root exe="/usr/sbin/crond"
> ...
> msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"
>
> and I am wondering if I can catch a user that trying to stop or start a
> daemon like syslog-ng.
Not without patching the init program. You need something with privilege and
that knows what is going on in order to do that.
> Also, why if that I have no rules defined, auditd logs those things anyway?
because auditd enables the audit system. If the audit system was not enabled,
you would not get anything. You also have to understand that the rules are for
kernel events like accessing a file or making a syscall. It cannot decide that
pam should start sending anything or cron or sshd. So, all daemons and
security apps send events because they can't tell if they are needed or not.
But if you don't want some kinds of events, you can always use the exclude
filter.
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-30 21:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-29 15:01 auditing daemon activity (restart, stop, start) romain.pelissier
2010-09-30 21:58 ` Steve Grubb
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.