Is "Auditd" necessary?

Issues related to applications and software problems and general support
Post Reply
hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Is "Auditd" necessary?

Post by hack3rcon » 2020/09/11 08:51:57

Hello,
I'm using CentOS 8 and I tested my server by Lynis. It showed me below warning:
* Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules [ACCT-9630]
https://cisofy.com/lynis/controls/ACCT-9630/
I wanted to disable this service but:

Code: Select all

# systemctl disable auditd
Removed /etc/systemd/system/multi-user.target.wants/auditd.service.

# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.

# systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-08-25 16:33:31 +0430; 2 weeks 2 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
 Main PID: 1156 (auditd)
    Tasks: 4 (limit: 23575)
   Memory: 5.0M
   CGroup: /system.slice/auditd.service
           ├─1156 /sbin/auditd
           └─1158 /usr/sbin/sedispatch

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Why?

Thank you.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Is "Auditd" necessary?

Post by aks » 2020/09/16 17:56:33

systemctl list-dependencies is your friend here ....

hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Re: Is "Auditd" necessary?

Post by hack3rcon » 2020/09/17 18:27:15

I stopped the Auditd service.

Code: Select all

 systemctl list-dependencies
default.target
● ├─abrt-ccpp.service
● ├─abrt-oops.service
● ├─abrt-vmcore.service
● ├─abrt-xorg.service
● ├─abrtd.service
● ├─atd.service
● ├─crond.service
● ├─dbus.service
● ├─dnf-automatic.timer
● ├─dnf-makecache.timer
● ├─fail2ban.service
● ├─firewalld.service
● ├─httpd.service
● ├─irqbalance.service
● ├─kdump.service
● ├─libstoragemgmt.service
● ├─mariadb.service
● ├─mcelog.service
● ├─mdmonitor.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─pmcd.service
● ├─pmie.service
● ├─pmlogger.service
● ├─rhsmcertd.service
● ├─rsyslog.service
● ├─smartd.service
● ├─sshd.service
● ├─sssd.service
● ├─suricata.service
● ├─sysstat.service
● ├─systemd-ask-password-wall.path
● ├─systemd-logind.service
● ├─systemd-update-utmp-runlevel.service
● ├─systemd-user-sessions.service
● ├─tuned.service
● ├─vdo.service
● ├─vmtoolsd.service
● ├─vsftpd.service
● ├─basic.target
● │ ├─-.mount
● │ ├─microcode.service
● │ ├─paths.target
● │ ├─slices.target
● │ │ ├─-.slice
● │ │ └─system.slice
● │ ├─sockets.target
● │ │ ├─dbus.socket
● │ │ ├─dm-event.socket
● │ │ ├─iscsid.socket
● │ │ ├─iscsiuio.socket
● │ │ ├─multipathd.socket
● │ │ ├─sssd-kcm.socket
● │ │ ├─systemd-coredump.socket
● │ │ ├─systemd-initctl.socket
● │ │ ├─systemd-journald-dev-log.socket
● │ │ ├─systemd-journald.socket
● │ │ ├─systemd-udevd-control.socket
● │ │ └─systemd-udevd-kernel.socket
● │ ├─sysinit.target
● │ │ ├─dev-hugepages.mount
● │ │ ├─dev-mqueue.mount
● │ │ ├─dracut-shutdown.service
● │ │ ├─import-state.service
● │ │ ├─iscsi-onboot.service
● │ │ ├─iscsi.service
● │ │ ├─kmod-static-nodes.service
● │ │ ├─ldconfig.service
● │ │ ├─loadmodules.service
● │ │ ├─lvm2-lvmpolld.socket
● │ │ ├─lvm2-monitor.service
● │ │ ├─multipathd.service
● │ │ ├─nis-domainname.service
● │ │ ├─plymouth-read-write.service
● │ │ ├─plymouth-start.service
● │ │ ├─proc-sys-fs-binfmt_misc.automount
● │ │ ├─rngd.service
● │ │ ├─selinux-autorelabel-mark.service
● │ │ ├─sys-fs-fuse-connections.mount
● │ │ ├─sys-kernel-config.mount
● │ │ ├─sys-kernel-debug.mount
● │ │ ├─systemd-ask-password-console.path
● │ │ ├─systemd-binfmt.service
● │ │ ├─systemd-firstboot.service
● │ │ ├─systemd-hwdb-update.service
● │ │ ├─systemd-journal-catalog-update.service
● │ │ ├─systemd-journal-flush.service
● │ │ ├─systemd-journald.service
● │ │ ├─systemd-machine-id-commit.service
● │ │ ├─systemd-modules-load.service
● │ │ ├─systemd-random-seed.service
● │ │ ├─systemd-sysctl.service
● │ │ ├─systemd-sysusers.service
● │ │ ├─systemd-tmpfiles-setup-dev.service
● │ │ ├─systemd-tmpfiles-setup.service
● │ │ ├─systemd-udev-trigger.service
● │ │ ├─systemd-udevd.service
● │ │ ├─systemd-update-done.service
● │ │ ├─systemd-update-utmp.service
● │ │ ├─cryptsetup.target
● │ │ ├─local-fs.target
● │ │ │ ├─-.mount
● │ │ │ ├─boot-efi.mount
● │ │ │ ├─boot.mount
● │ │ │ ├─home.mount
● │ │ │ └─systemd-remount-fs.service
● │ │ └─swap.target
● │ │   └─dev-mapper-cl\x2dswap.swap
● │ └─timers.target
● │   ├─systemd-tmpfiles-clean.timer
● │   └─unbound-anchor.timer
● ├─getty.target
● │ └─getty@tty1.service
● └─remote-fs.target

User avatar
TrevorH
Forum Moderator
Posts: 29493
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Is "Auditd" necessary?

Post by TrevorH » 2020/09/17 18:36:56

Why are you disabling one of the essential security auditing tools?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Re: Is "Auditd" necessary?

Post by hack3rcon » 2020/09/18 11:12:35

TrevorH wrote:
2020/09/17 18:36:56
Why are you disabling one of the essential security auditing tools?
When I installed CentOS, this service was disable.
Why it must be enable when I never added any rule? Any default rules?

User avatar
TrevorH
Forum Moderator
Posts: 29493
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Is "Auditd" necessary?

Post by TrevorH » 2020/09/18 16:33:46

If it was disabled when you did the install then you did something wrong. All CentOS installs include auditd and all enable it out of the box.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 663
Joined: 2014/11/24 11:04:37

Re: Is "Auditd" necessary?

Post by hack3rcon » 2020/09/18 18:34:14

TrevorH wrote:
2020/09/18 16:33:46
If it was disabled when you did the install then you did something wrong. All CentOS installs include auditd and all enable it out of the box.
CentOS 8 have any default rules for Auditd service?
How can I troubleshooting it?

Post Reply

Return to “CentOS 8 - General Support”