Discussion:
Sanity Check on Audit
Paul Whitney
2014-02-06 14:22:33 UTC
Permalink
I am configuring our auditing service to send logs through rsyslog.  While tinkering around, I was able to stop and start auditing from the command line as the root user. Is there a way to prevent anyone including root from stopping the audit service unless system is rebooted into single user mode?  

Thanks,
Paul M. Whitney
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
Harry Hoffman
2014-02-06 14:22:42 UTC
Permalink
paul,

you might be able to write a custom selinux policy to disallow this
action but i imagine it would be pretty complex.

maybe it's better to just report on when the process isn't running?

cheers,
harry
Post by Paul Whitney
I am configuring our auditing service to send logs through rsyslog.
While tinkering around, I was able to stop and start auditing from the
command line as the root user. Is there a way to prevent anyone
including root from stopping the audit service unless system is rebooted
into single user mode?
Thanks,
Paul M. Whitney
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
p***@ronno.nl
2014-02-06 14:51:09 UTC
Permalink
Paul,

For "Anyone" it wouldn't be a problem, but a root user is allowed to do anything.

So a root is always be able to stop a process on the system.

Think of a solution to lock ssh access (sshd_config) for everyone, but you.

And even this is no 100% solution.

Regards
Ron de Kuijer

________________________________________
From: redhat-list-***@redhat.com [redhat-list-***@redhat.com] On Behalf Of Paul Whitney [***@mac.com]
Sent: Thursday, February 06, 2014 15:22
To: General Red Hat Linux discussion list
Subject: Sanity Check on Audit

I am configuring our auditing service to send logs through rsyslog. While tinkering around, I was able to stop and start auditing from the command line as the root user. Is there a way to prevent anyone including root from stopping the audit service unless system is rebooted into single user mode?

Thanks,
Paul M. Whitney




--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
m***@5-cent.us
2014-02-06 15:12:12 UTC
Permalink
Post by p***@ronno.nl
Paul,
For "Anyone" it wouldn't be a problem, but a root user is allowed to do anything.
So a root is always be able to stop a process on the system.
Think of a solution to lock ssh access (sshd_config) for everyone, but you.
And even this is no 100% solution.
And two cents from someone who's really isn't deeply into selinx: a root
user could always
$ echo 0 >/selinux/enforce
and then, with selinux in permissive mode, could do anything root could
normally do (i.e., anything).

mark
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
Harry Hoffman
2014-02-06 17:37:34 UTC
Permalink
Mark,

That's not quite accurate. SELinux controls can be enabled to neuter
root's power.

Cheers,
Harry
Post by m***@5-cent.us
Post by p***@ronno.nl
Paul,
For "Anyone" it wouldn't be a problem, but a root user is allowed to do anything.
So a root is always be able to stop a process on the system.
Think of a solution to lock ssh access (sshd_config) for everyone, but you.
And even this is no 100% solution.
And two cents from someone who's really isn't deeply into selinx: a root
user could always
$ echo 0 >/selinux/enforce
and then, with selinux in permissive mode, could do anything root could
normally do (i.e., anything).
mark
--
redhat-list mailing list
unsubscribe mailto:redhat-list-***@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
Loading...