Re: Auditing Attemtps to run Audit commands.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditing Attemtps to run Audit commands.
Date: Tue, 5 Oct 2010 12:48:25 -0400	[thread overview]
Message-ID: <201010051248.25878.sgrubb@redhat.com> (raw)
In-Reply-To: <4203334E76D37E4EAB3167BD333C21D10386B217@XMBIL142.northgrum.com>

On Tuesday, October 05, 2010 12:30:41 pm Boyce, Kevin P (AS) wrote:
> I have an execve rule for any attempt to execute auditd for example.  I
> never get any audit records when mortal users attempt to run the command
> (even though they will fail).  I only see success events when the
> commands are executed as root.

The audit utilities are protected by file permissions. So, if the user cannot 
actually access the binary, they never made an attempt. This gets cutoff in the 
filename resolution phase so the audit rule never triggers. IOW, you have to 
have a fully resolved path in the kernel for it to count as an attempt.

> I know all of the executables that ship with the audit packages check to
> see if root is executing them, but I think there is value in knowing who
> might be attempting to stop the audit daemon from a security
> perspective.

You can add a watch to the init script if you want.

-Steve

     prev parent reply	other threads:[~2010-10-05 16:48 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-10-05 16:30 Auditing Attemtps to run Audit commands Boyce, Kevin P (AS)
2010-10-05 16:48 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201010051248.25878.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.