Re: How to monitor audit/audispd killed
On Monday, January 04, 2016 08:10:29 PM Matthew Chao wrote:
Hi,
I added the following rules in audit.rules for monitoring auditd/audispd be
killed(audit ver: 1.8),
=============
-a exit,always -F perm=wa -F path=/var/run/auditd.pid -k cfg
-a exit,always -F perm=wa -F path=/var/run/audispd_events -k cfg
Or
-a exit,always -S kill -F path=/var/run/auditd.pid -k cfg
-a exit,always -S kill -F path=/var/run/audispd_events -k cfg
=============
However, these rules don't work:
You have a race condition where auditd gets a signal to shutdown and an event
indicating that shutdown is occurring. On shutdown, the audit daemon does not
alter the rules or whether auditing is enabled. (This was to get shutdown AVCs
for selinux.) There is a chance that your event is in syslog's files.
even the processes (auditd/audispd) are killed, I can't get any
related
messages except DAEMON_END.
The daemon end event should give you 2 things, who issued the shutdown (auid)
and the sending pid. That should let you track it down.
-Steve