Re: auditing daemon activity (restart, stop, start)
On Wednesday, September 29, 2010 11:01:29 am romain.pelissier(a)bell.ca wrote:
I am wondering is there is a way to monitor with auditd deamon
activity
like a start and stop.
We recently patched systemd to record this information. Otherwise, you can add
a file watch on the individual daemon init scripts and see someone accessing
the file, but you don't know what they have attempted. Could just be status.
I see in the logs of auditd that some activities
with crond and/or pam are logged like :
msg='PAM session close: user=root exe="/usr/sbin/crond"
...
msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"
and I am wondering if I can catch a user that trying to stop or start a
daemon like syslog-ng.
Not without patching the init program. You need something with privilege and
that knows what is going on in order to do that.
Also, why if that I have no rules defined, auditd logs those things
anyway?
because auditd enables the audit system. If the audit system was not enabled,
you would not get anything. You also have to understand that the rules are for
kernel events like accessing a file or making a syscall. It cannot decide that
pam should start sending anything or cron or sshd. So, all daemons and
security apps send events because they can't tell if they are needed or not.
But if you don't want some kinds of events, you can always use the exclude
filter.
-Steve