Alert when auditd is stopped
Steve Grubb
sgrubb at redhat.com
Wed Mar 2 17:11:35 UTC 2022
Hello,
On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote:
> During an audit, we had a question about stopping auditd.
> What will be the best way either to get an alert when auditd is stopped ?
Since by now everything probably uses systemd, I think you can add an
OnFailure= clause to the auditd.service file that starts a one shot service
of that you write which sends you the alert however you need it sent.
> Is it possible to forbid altogether to stop auditd ?
The intended systemd configuration does not allow stopping auditd by dbus. It
is intended to be controlled by the service command. The stop script sends a
signal to auditd. So, removing the script won't work since any root user can
send the TERM or KILL signal. I don't think systemd can limit signals
received by a daemon. But it can restart a daemon if it fails. Auditd places
an ignore on all signals except the ones it expects such as TERM. The KILL
and STOP signals cannot be blocked.
> Can we still stop auditd when the rules are made immutable ?
Yes. The rules are in the kernel. Making them immutable tells the kernel not
to accept any more rules. It doesn't affect auditd.
-Steve
More information about the Linux-audit
mailing list