Auditing Attemtps to run Audit commands.
Steve Grubb
sgrubb at redhat.com
Tue Oct 5 16:48:25 UTC 2010
On Tuesday, October 05, 2010 12:30:41 pm Boyce, Kevin P (AS) wrote:
> I have an execve rule for any attempt to execute auditd for example. I
> never get any audit records when mortal users attempt to run the command
> (even though they will fail). I only see success events when the
> commands are executed as root.
The audit utilities are protected by file permissions. So, if the user cannot
actually access the binary, they never made an attempt. This gets cutoff in the
filename resolution phase so the audit rule never triggers. IOW, you have to
have a fully resolved path in the kernel for it to count as an attempt.
> I know all of the executables that ship with the audit packages check to
> see if root is executing them, but I think there is value in knowing who
> might be attempting to stop the audit daemon from a security
> perspective.
You can add a watch to the init script if you want.
-Steve
More information about the Linux-audit
mailing list