On 04/02/2014 11:51 AM, John Musbach wrote:
> Hello I've been tasked with fixing up a auditd policy but it's on a server that's actively being used and the policy installed was set immutable. I've tried searching and everyone recommends rebooting to escape immutable mode… But is there really no way to code up something that, as root, removes immutable mode without a reboot? I find it pretty amazing nobody seems to have attempted to do this already.

Greetings,

I am honestly not trying to be snarky here, but that is the point. These
/are/ _the_ audit rules for your system. I don't want a potential
attacker (or worse, an coworker/intern who really shouldn't be messing
with my server), to be able to turn off auditing. If they have root
access, that box is already screwed but I would prefer to have a decent
audit trail to go off of. Sure, it is possible to adjust the settings
with a reboot, but my alert systems go off when a server reboots outside
of a maintenance window.

In short, if the box is screwed over that badly anyway, I don't want to
lose the audit logs too!

Trust me, I feel the pain. We recently are having to update a lot of our
audit rules and we occasionally find things that tested fine in the dev
environment but have issues in prod. (One audit rule to capture a
certain event unknowingly was triggered on a prod system process so fast
it was draining CPU time and causing the logs to rotate every minute!
That was fun to track down...). But I would still rather immutable /be/
immutable.

Good luck!

~Stack~