Issues related to applications and software problems and general support
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/09/11 08:51:57
Hello,
I'm using CentOS 8 and I tested my server by Lynis. It showed me below warning:
I wanted to disable this service but:
Code: Select all
# systemctl disable auditd
Removed /etc/systemd/system/multi-user.target.wants/auditd.service.
# systemctl stop auditd
Failed to stop auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
# systemctl status auditd.service
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2020-08-25 16:33:31 +0430; 2 weeks 2 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Main PID: 1156 (auditd)
Tasks: 4 (limit: 23575)
Memory: 5.0M
CGroup: /system.slice/auditd.service
├─1156 /sbin/auditd
└─1158 /usr/sbin/sedispatch
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.
Why?
Thank you.
-
aks
- Posts: 3073
- Joined: 2014/09/20 11:22:14
Post
by aks » 2020/09/16 17:56:33
systemctl list-dependencies is your friend here ....
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/09/17 18:27:15
I stopped the Auditd service.
Code: Select all
systemctl list-dependencies
default.target
● ├─abrt-ccpp.service
● ├─abrt-oops.service
● ├─abrt-vmcore.service
● ├─abrt-xorg.service
● ├─abrtd.service
● ├─atd.service
● ├─crond.service
● ├─dbus.service
● ├─dnf-automatic.timer
● ├─dnf-makecache.timer
● ├─fail2ban.service
● ├─firewalld.service
● ├─httpd.service
● ├─irqbalance.service
● ├─kdump.service
● ├─libstoragemgmt.service
● ├─mariadb.service
● ├─mcelog.service
● ├─mdmonitor.service
● ├─NetworkManager.service
● ├─plymouth-quit-wait.service
● ├─plymouth-quit.service
● ├─pmcd.service
● ├─pmie.service
● ├─pmlogger.service
● ├─rhsmcertd.service
● ├─rsyslog.service
● ├─smartd.service
● ├─sshd.service
● ├─sssd.service
● ├─suricata.service
● ├─sysstat.service
● ├─systemd-ask-password-wall.path
● ├─systemd-logind.service
● ├─systemd-update-utmp-runlevel.service
● ├─systemd-user-sessions.service
● ├─tuned.service
● ├─vdo.service
● ├─vmtoolsd.service
● ├─vsftpd.service
● ├─basic.target
● │ ├─-.mount
● │ ├─microcode.service
● │ ├─paths.target
● │ ├─slices.target
● │ │ ├─-.slice
● │ │ └─system.slice
● │ ├─sockets.target
● │ │ ├─dbus.socket
● │ │ ├─dm-event.socket
● │ │ ├─iscsid.socket
● │ │ ├─iscsiuio.socket
● │ │ ├─multipathd.socket
● │ │ ├─sssd-kcm.socket
● │ │ ├─systemd-coredump.socket
● │ │ ├─systemd-initctl.socket
● │ │ ├─systemd-journald-dev-log.socket
● │ │ ├─systemd-journald.socket
● │ │ ├─systemd-udevd-control.socket
● │ │ └─systemd-udevd-kernel.socket
● │ ├─sysinit.target
● │ │ ├─dev-hugepages.mount
● │ │ ├─dev-mqueue.mount
● │ │ ├─dracut-shutdown.service
● │ │ ├─import-state.service
● │ │ ├─iscsi-onboot.service
● │ │ ├─iscsi.service
● │ │ ├─kmod-static-nodes.service
● │ │ ├─ldconfig.service
● │ │ ├─loadmodules.service
● │ │ ├─lvm2-lvmpolld.socket
● │ │ ├─lvm2-monitor.service
● │ │ ├─multipathd.service
● │ │ ├─nis-domainname.service
● │ │ ├─plymouth-read-write.service
● │ │ ├─plymouth-start.service
● │ │ ├─proc-sys-fs-binfmt_misc.automount
● │ │ ├─rngd.service
● │ │ ├─selinux-autorelabel-mark.service
● │ │ ├─sys-fs-fuse-connections.mount
● │ │ ├─sys-kernel-config.mount
● │ │ ├─sys-kernel-debug.mount
● │ │ ├─systemd-ask-password-console.path
● │ │ ├─systemd-binfmt.service
● │ │ ├─systemd-firstboot.service
● │ │ ├─systemd-hwdb-update.service
● │ │ ├─systemd-journal-catalog-update.service
● │ │ ├─systemd-journal-flush.service
● │ │ ├─systemd-journald.service
● │ │ ├─systemd-machine-id-commit.service
● │ │ ├─systemd-modules-load.service
● │ │ ├─systemd-random-seed.service
● │ │ ├─systemd-sysctl.service
● │ │ ├─systemd-sysusers.service
● │ │ ├─systemd-tmpfiles-setup-dev.service
● │ │ ├─systemd-tmpfiles-setup.service
● │ │ ├─systemd-udev-trigger.service
● │ │ ├─systemd-udevd.service
● │ │ ├─systemd-update-done.service
● │ │ ├─systemd-update-utmp.service
● │ │ ├─cryptsetup.target
● │ │ ├─local-fs.target
● │ │ │ ├─-.mount
● │ │ │ ├─boot-efi.mount
● │ │ │ ├─boot.mount
● │ │ │ ├─home.mount
● │ │ │ └─systemd-remount-fs.service
● │ │ └─swap.target
● │ │ └─dev-mapper-cl\x2dswap.swap
● │ └─timers.target
● │ ├─systemd-tmpfiles-clean.timer
● │ └─unbound-anchor.timer
● ├─getty.target
● │ └─getty@tty1.service
● └─remote-fs.target
-
TrevorH
- Site Admin
- Posts: 33219
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/09/17 18:36:56
Why are you disabling one of the essential security auditing tools?
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/09/18 11:12:35
TrevorH wrote: ↑2020/09/17 18:36:56
Why are you disabling one of the essential security auditing tools?
When I installed CentOS, this service was disable.
Why it must be enable when I never added any rule? Any default rules?
-
TrevorH
- Site Admin
- Posts: 33219
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2020/09/18 16:33:46
If it was disabled when you did the install then you did something wrong. All CentOS installs include auditd and all enable it out of the box.
-
hack3rcon
- Posts: 757
- Joined: 2014/11/24 11:04:37
Post
by hack3rcon » 2020/09/18 18:34:14
TrevorH wrote: ↑2020/09/18 16:33:46
If it was disabled when you did the install then you did something wrong. All CentOS installs include auditd and all enable it out of the box.
CentOS 8 have any default rules for Auditd service?
How can I troubleshooting it?