On 04/02/2014 11:51 AM, John Musbach wrote: > Hello I've been tasked with fixing up a auditd policy but it's on a server > that's actively being used and the policy installed was set immutable. I've > tried searching and everyone recommends rebooting to escape immutable modeā¦ > But is there really no way to code up something that, as root, removes > immutable mode without a reboot? I find it pretty amazing nobody seems to > have attempted to do this already.
Greetings, I am honestly not trying to be snarky here, but that is the point. These /are/ _the_ audit rules for your system. I don't want a potential attacker (or worse, an coworker/intern who really shouldn't be messing with my server), to be able to turn off auditing. If they have root access, that box is already screwed but I would prefer to have a decent audit trail to go off of. Sure, it is possible to adjust the settings with a reboot, but my alert systems go off when a server reboots outside of a maintenance window. In short, if the box is screwed over that badly anyway, I don't want to lose the audit logs too! Trust me, I feel the pain. We recently are having to update a lot of our audit rules and we occasionally find things that tested fine in the dev environment but have issues in prod. (One audit rule to capture a certain event unknowingly was triggered on a prod system process so fast it was draining CPU time and causing the logs to rotate every minute! That was fun to track down...). But I would still rather immutable /be/ immutable. Good luck! ~Stack~
signature.asc
Description: OpenPGP digital signature
