[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing Attemtps to run Audit commands.

On Tuesday, October 05, 2010 12:30:41 pm Boyce, Kevin P (AS) wrote:
> I have an execve rule for any attempt to execute auditd for example.  I
> never get any audit records when mortal users attempt to run the command
> (even though they will fail).  I only see success events when the
> commands are executed as root.

The audit utilities are protected by file permissions. So, if the user cannot 
actually access the binary, they never made an attempt. This gets cutoff in the 
filename resolution phase so the audit rule never triggers. IOW, you have to 
have a fully resolved path in the kernel for it to count as an attempt.

> I know all of the executables that ship with the audit packages check to
> see if root is executing them, but I think there is value in knowing who
> might be attempting to stop the audit daemon from a security
> perspective.

You can add a watch to the init script if you want.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]