How to monitor audit/audispd killed
Steve Grubb
sgrubb at redhat.com
Mon Jan 4 14:32:47 UTC 2016
On Monday, January 04, 2016 08:10:29 PM Matthew Chao wrote:
> Hi,
>
> I added the following rules in audit.rules for monitoring auditd/audispd be
> killed(audit ver: 1.8),
> =============
> -a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
>
> Or
> -a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
>
> -a exit,always -S kill -F path=/var/run/audispd_events -k cfg
> =============
>
> However, these rules don't work:
You have a race condition where auditd gets a signal to shutdown and an event
indicating that shutdown is occurring. On shutdown, the audit daemon does not
alter the rules or whether auditing is enabled. (This was to get shutdown AVCs
for selinux.) There is a chance that your event is in syslog's files.
> even the processes (auditd/audispd) are killed, I can't get any related
> messages except DAEMON_END.
The daemon end event should give you 2 things, who issued the shutdown (auid)
and the sending pid. That should let you track it down.
-Steve
More information about the Linux-audit
mailing list