The usage of "auditd" service.

n00b_noob · 09-11-2020, 03:50 AM

Hello,
I'm using CentOS 8 and I tested my server by Lynis. It showed me below warning:

Quote:

* Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/

I wanted to disable this service but:

Code:

# systemctl disable auditd
Removed /etc/systemd/system/multi-user.target.wants/auditd.service.

# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

# systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-08-25 16:33:31 +0430; 2 weeks 2 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 1156 (auditd)
    Tasks: 4 (limit: 23575)
   Memory: 5.0M
   CGroup: /system.slice/auditd.service
           ├─1156 /sbin/auditd
           └─1158 /usr/sbin/sedispatch

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

Why?

Thank you.

berndbausch · 09-11-2020, 05:48 AM

I had never seen this error message before: "may be requested by dependency only". So what do you do in such a case? You use Google or (better) DuckDuckGo.

There are many pages that refer to this problem with auditd on RHEL (therefore also Centos). I found this in the RHEL 7 manual:

Quote:

Note

The service command is the only way to correctly interact with the auditd daemon. You need to use the service command so that the auid value is properly recorded. You can use the systemctl command only for two actions: enable and status.

Try it, perhaps it also works in Centos 8.

n00b_noob · 09-11-2020, 12:21 PM

Quote:

Originally Posted by berndbausch

I had never seen this error message before: "may be requested by dependency only". So what do you do in such a case? You use Google or (better) DuckDuckGo.

There are many pages that refer to this problem with auditd on RHEL (therefore also Centos). I found this in the RHEL 7 manual:

Try it, perhaps it also works in Centos 8.

Is it a bug?

Code:

$ sudo service auditd stop
Stopping logging:                                          [  OK  ]

What is the usage of Auditd?

berndbausch · 09-11-2020, 06:30 PM

Quote:

Originally Posted by n00b_noob

Is it a bug?

Hardly. It seems entirely deliberate.

Quote:

What is the usage of Auditd?

Auditing. For more info, read the manual.

n00b_noob · 09-12-2020, 12:36 AM

Quote:

Originally Posted by berndbausch

Hardly. It seems entirely deliberate.

Auditing. For more info, read the manual.

Why by default it was disabled?

berndbausch · 09-12-2020, 01:05 AM

Quote:

Originally Posted by n00b_noob

Why by default it was disabled?

Probably because it uses a non-negligible amount of resources. Also, any additional service you run increases your attack surface.

scottieH · 06-08-2021, 10:45 AM

On RedHat/CentOS (I'm sure others have this config also), the audit rules have an enable flag: -e

Code:

man -s 8 auditctl

0 = temporarily disable auditing
1 = enable auditing
2 = lock the audit configuration to prevent changes

To see what you system is set to, look in your rules file (/etc/audit/audit.rules) for the -e setting. Immutable (2), if set, should be at the end of the file.

Code:

 sudo grep -e '^-e' /etc/audit/audit.rules

If -e is 2, you will NOT be able to stop the audit daemon with systemctl.
You can either kill the pid, or use the service command, as documented by 'n00b_noob'

Code:

sudo service auditd stop

Best practice is to set this to immutable (2) to prevent someone from changing the audit rules in vitro