CODEWITHSUNDEEP
linuxserviceredhatsystemd
Thao Nguyen
Thao Nguyen

Reputation: 472

Prevent stop auditd service in Redhat 7

Curently, i want auditd service run forever and user can not stop this via any commands.

Current my auditd service:

~]# systemctl cat auditd

# /usr/lib/systemd/system/auditd.service
[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target systemd-tmpfiles-setup.service
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes
ConditionKernelCommandLine=!audit=0

[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target


# /etc/systemd/system/auditd.service.d/override.conf
[Service]
ExecReload=
ExecReload=/bin/kill -HUP $MAINPID ; /sbin/augenrules --load

I can't stop this service from command:

# systemctl stop auditd.service

Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only.

But when i using service auditd stop command. I can stop this service normally.

# service auditd stop
Stopping logging:                                          [  OK  ]

How can i prevent it? Thanks

Upvotes: 4

Views: 16742

Answers (2)

aniskh
aniskh

Reputation: 11

Some actions of service command are not redirected to systemctl but run some specific scripts located in /usr/libexec/initscripts/legacy-actions. In this case, stop command will call this script:

/usr/libexec/initscripts/legacy-actions/auditd/stop

If you want that, the audited service can't be stopped by service command, you can remove this script, the action "stop" will be redirected to systemctl, which will block it b/c of the parameter "RefuseManualStop=yes". But this doesn't mean that you can't kill the process of course.

Upvotes: 1

Timothée Ravier
Timothée Ravier

Reputation: 508

The administrator (root) will always be able to manually kill the auditd process (which is what the service command does). What systemd is doing here is only to prevent the administrator from doing it via the systemctl interface.

In both cases, unprivileged users can not kill the daemon.

If you want to restrict even what root can do, you will have to use SELinux and customize the policy.

Upvotes: 4

Related Questions