pcmoore
commented
2 years ago It seems like attempting something similar, but with just the audit info (audit login ID, session ID) might be a place to start.
Open rgbriggs opened 2 years ago
pcmoore
commented
2 years ago It seems like attempting something similar, but with just the audit info (audit login ID, session ID) might be a place to start.
RFE: Create mechanism for "systemctl stop auditd" to audit the identity of the user issuing the command.
Currently, auditd is one of the few remaining users of the sysvinit package that uses the service(8) command to shut down the daemon because systemd does not provide a mechanism to record which audit uid and audit sessionid initiated the action. This policy is currently enforced in the systemd auditd service unit with "RefuseManualStop=yes". The identity of the user shutting down the secure logging service is required by common criteria. Unless systemd can record the user initiating the action systemctl cannot be allowed to stop the daemon.
One workaround to the service(8) dependence is "pkill -TERM auditd" then "systemctl start auditd".
Upstream discussion around Jan Kaluza's SCM_AUDIT idea or maybe SOCK_PASS*: v2 https://lists.linuxfoundation.org/pipermail/containers/2013-August/033405.html v3 https://lists.linuxfoundation.org/pipermail/containers/2013-September/033450.html v4 https://lists.linuxfoundation.org/pipermail/containers/2014-January/033893.html
This will require cooperation with audit userspace and with systemd.