Re: Alert when auditd is stopped
Hello,
On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote:
During an audit, we had a question about stopping auditd.
What will be the best way either to get an alert when auditd is stopped ?
Since by now everything probably uses systemd, I think you can add an
OnFailure= clause to the auditd.service file that starts a one shot service
of that you write which sends you the alert however you need it sent.
Is it possible to forbid altogether to stop auditd ?
The intended systemd configuration does not allow stopping auditd by dbus. It
is intended to be controlled by the service command. The stop script sends a
signal to auditd. So, removing the script won't work since any root user can
send the TERM or KILL signal. I don't think systemd can limit signals
received by a daemon. But it can restart a daemon if it fails. Auditd places
an ignore on all signals except the ones it expects such as TERM. The KILL
and STOP signals cannot be blocked.
Can we still stop auditd when the rules are made immutable ?
Yes. The rules are in the kernel. Making them immutable tells the kernel not
to accept any more rules. It doesn't affect auditd.
-Steve