Question: How to create audit rules for monitoring services start or stop?
In order to monitor the service start and stop, you will need two audit rules in place. Add the following rules in the /etc/audit.rules or /etc/audit/rules.d/audit.rules depending on the version of CentOS/RHEL you are running.
(1) A rule to monitor the start, or execution, of the service. For rsyslogd the rule may look like this.
-w /sbin/rsyslogd -p x -k rsyslog_run
(2) A rule to monitor the stop syscall for the service. For rsyslogd the rule may look like this:
-a exit,always -F arch=b64 -k rsyslog_exit
After implementing these rules, you will need to restart the auditd service.
For CentOS/RHEL 7
# systemctl stop auditd # systemctl start auditd
For CentOS/RHEL 6
# service restart auditd
Verify the rules that are currently loaded:
# auditctl -l
Verify the logs
You will be able to find the logs with the following command:
# grep rsyslogd /var/log/audit/audit.log