Hello, On Wednesday, March 2, 2022 10:51:57 AM EST MAUPERTUIS, PHILIPPE wrote: > During an audit, we had a question about stopping auditd. > What will be the best way either to get an alert when auditd is stopped ?
Since by now everything probably uses systemd, I think you can add an OnFailure= clause to the auditd.service file that starts a one shot service of that you write which sends you the alert however you need it sent. > Is it possible to forbid altogether to stop auditd ? The intended systemd configuration does not allow stopping auditd by dbus. It is intended to be controlled by the service command. The stop script sends a signal to auditd. So, removing the script won't work since any root user can send the TERM or KILL signal. I don't think systemd can limit signals received by a daemon. But it can restart a daemon if it fails. Auditd places an ignore on all signals except the ones it expects such as TERM. The KILL and STOP signals cannot be blocked. > Can we still stop auditd when the rules are made immutable ? Yes. The rules are in the kernel. Making them immutable tells the kernel not to accept any more rules. It doesn't affect auditd. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit