All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: "'linux-audit@redhat.com'" <linux-audit@redhat.com>
Cc: "MAUPERTUIS, PHILIPPE" <philippe.maupertuis@worldline.com>
Subject: Re: Alert when auditd is stopped
Date: Wed, 02 Mar 2022 12:11:35 -0500	[thread overview]
Message-ID: <3755499.tdWV9SEqCh@x2> (raw)
In-Reply-To: <MRZP264MB1686221719EF75F53746E91EFA039@MRZP264MB1686.FRAP264.PROD.OUTLOOK.COM>

Hello,

On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote:
> During an audit, we had a question about stopping auditd.
> What will be the best way either to get an alert when auditd is stopped ?

Since by now everything probably uses systemd, I think you can add an 
OnFailure=  clause to the auditd.service file that starts a one shot service 
of that you write which sends you the alert however you need it sent.

> Is it possible  to forbid altogether to stop auditd ?

The intended systemd configuration does not allow stopping auditd by dbus. It 
is intended to be controlled by the service command. The stop script sends a 
signal to auditd. So, removing the script won't work since any root user can 
send the TERM or KILL signal. I don't think systemd can limit signals 
received by a daemon. But it can restart a daemon if it fails. Auditd places 
an ignore on all signals except the ones it expects such as TERM. The KILL 
and STOP signals cannot be blocked.

> Can we still stop auditd when the rules are made immutable ?

Yes. The rules are in the kernel. Making them immutable tells the kernel not 
to accept any more rules. It doesn't affect auditd.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


      reply	other threads:[~2022-03-02 17:11 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-02 15:51 Alert when auditd is stopped MAUPERTUIS, PHILIPPE
2022-03-02 17:11 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3755499.tdWV9SEqCh@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=philippe.maupertuis@worldline.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.