Preventing Audit Stops in Redhat 7

Question

Preventing Audit Stops in Redhat 7

At the same time, I want the auditd service to start forever, and the user cannot stop it with any commands.

My current auditd service is:

~]# systemctl cat auditd # /usr/lib/systemd/system/auditd.service [Unit] Description=Security Auditing Service DefaultDependencies=no After=local-fs.target systemd-tmpfiles-setup.service Conflicts=shutdown.target Before=sysinit.target shutdown.target RefuseManualStop=yes ConditionKernelCommandLine=!audit=0 [Service] ExecStart=/sbin/auditd -n ## To not use augenrules, copy this file to /etc/systemd/system/auditd.service ## and comment/delete the next line and uncomment the auditctl line. ## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/ ExecStartPost=-/sbin/augenrules --load #ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target # /etc/systemd/system/auditd.service.d/override.conf [Service] ExecReload= ExecReload=/bin/kill -HUP $MAINPID ; /sbin/augenrules --load

I cannot stop this service from the command:

 # systemctl stop auditd.service Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only.

But when I use the service auditd stop . I can stop this service as usual.

 # service auditd stop Stopping logging: [ OK ]

How can I prevent this? Thanks

+3

linux service redhat systemd

Thao nguyen Jul 22 '16 at 7:10

source share

1 answer

Siosm · Answer 1 · 2016-08-09T23:46:41+0000

The administrator (root) will always be able to manually kill the auditd process (which the service command does). The systemd system does this only so that the administrator does not execute it through the systemctl interface.

In both cases, unprivileged users cannot kill the daemon.

If you want to limit even what root can do, you will have to use SELinux and configure the policy.

Preventing Audit Stops in Redhat 7

More articles: