From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to monitor audit/audispd killed Date: Mon, 04 Jan 2016 09:32:47 -0500 Message-ID: <4152899.8YOsTRPv25@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, January 04, 2016 08:10:29 PM Matthew Chao wrote: > Hi, > > I added the following rules in audit.rules for monitoring auditd/audispd be > killed(audit ver: 1.8), > ============= > -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg > > -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg > > Or > -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg > > -a exit,always -S kill -F path=/var/run/audispd_events -k cfg > ============= > > However, these rules don't work: You have a race condition where auditd gets a signal to shutdown and an event indicating that shutdown is occurring. On shutdown, the audit daemon does not alter the rules or whether auditing is enabled. (This was to get shutdown AVCs for selinux.) There is a chance that your event is in syslog's files. > even the processes (auditd/audispd) are killed, I can't get any related > messages except DAEMON_END. The daemon end event should give you 2 things, who issued the shutdown (auid) and the sending pid. That should let you track it down. -Steve