Here is a silly question ( I don’t know if this has been resolved in newer releases, I am using audit-1.7.13).
I have an execve rule for any attempt to execute auditd for example. I never get any audit records when mortal users attempt to run the command (even though they will fail). I only see success events when the commands are executed as root.
I know all of the executables that ship with the audit packages check to see if root is executing them, but I think there is value in knowing who might be attempting to stop the audit daemon from a security perspective.
Anyone have any thoughts on this?