From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing Attemtps to run Audit commands.
Date: Tue, 5 Oct 2010 12:48:25 -0400
Message-ID: <201010051248.25878.sgrubb@redhat.com>
References: <4203334E76D37E4EAB3167BD333C21D10386B217@XMBIL142.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <4203334E76D37E4EAB3167BD333C21D10386B217@XMBIL142.northgrum.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, October 05, 2010 12:30:41 pm Boyce, Kevin P (AS) wrote:
> I have an execve rule for any attempt to execute auditd for example.  I
> never get any audit records when mortal users attempt to run the command
> (even though they will fail).  I only see success events when the
> commands are executed as root.

The audit utilities are protected by file permissions. So, if the user cannot 
actually access the binary, they never made an attempt. This gets cutoff in the 
filename resolution phase so the audit rule never triggers. IOW, you have to 
have a fully resolved path in the kernel for it to count as an attempt.

 
> I know all of the executables that ship with the audit packages check to
> see if root is executing them, but I think there is value in knowing who
> might be attempting to stop the audit daemon from a security
> perspective.

You can add a watch to the init script if you want.
 
-Steve