linux-audit / audit-kernel

GitHub mirror of the Linux Kernel's audit repository
https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git
Other
140 stars 37 forks source link

RFE: provide a mechanism to shut down auditd with auid accountability via systemd #136

Open rgbriggs opened 2 years ago

rgbriggs commented 2 years ago

RFE: Create mechanism for "systemctl stop auditd" to audit the identity of the user issuing the command.

Currently, auditd is one of the few remaining users of the sysvinit package that uses the service(8) command to shut down the daemon because systemd does not provide a mechanism to record which audit uid and audit sessionid initiated the action. This policy is currently enforced in the systemd auditd service unit with "RefuseManualStop=yes". The identity of the user shutting down the secure logging service is required by common criteria. Unless systemd can record the user initiating the action systemctl cannot be allowed to stop the daemon.

One workaround to the service(8) dependence is "pkill -TERM auditd" then "systemctl start auditd".

Upstream discussion around Jan Kaluza's SCM_AUDIT idea or maybe SOCK_PASS*: v2 https://lists.linuxfoundation.org/pipermail/containers/2013-August/033405.html v3 https://lists.linuxfoundation.org/pipermail/containers/2013-September/033450.html v4 https://lists.linuxfoundation.org/pipermail/containers/2014-January/033893.html

This will require cooperation with audit userspace and with systemd.

pcmoore commented 2 years ago

It seems like attempting something similar, but with just the audit info (audit login ID, session ID) might be a place to start.