Auditing Attemtps to run Audit commands.
Boyce, Kevin P (AS)
Kevin.Boyce at ngc.com
Tue Oct 5 16:30:41 UTC 2010
Here is a silly question ( I don't know if this has been resolved in
newer releases, I am using audit-1.7.13).
I have an execve rule for any attempt to execute auditd for example. I
never get any audit records when mortal users attempt to run the command
(even though they will fail). I only see success events when the
commands are executed as root.
I know all of the executables that ship with the audit packages check to
see if root is executing them, but I think there is value in knowing who
might be attempting to stop the audit daemon from a security
perspective.
Anyone have any thoughts on this?
Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20101005/f9f4308a/attachment.htm>
More information about the Linux-audit
mailing list