Here is a silly question ( I don’t know if this has been resolved in newer releases, I am using audit-1.7.13).

 

I have an execve rule for any attempt to execute auditd for example.  I never get any audit records when mortal users attempt to run the command (even though they will fail).  I only see success events when the commands are executed as root.

 

I know all of the executables that ship with the audit packages check to see if root is executing them, but I think there is value in knowing who might be attempting to stop the audit daemon from a security perspective.

 

 

Anyone have any thoughts on this?

 

Thanks,

Kevin