Re: type=PROCTITLE events not being populated in /var/log/audit/audit.log
Hello,
On Wednesday, January 10, 2018 5:41:03 PM EST Joshua Ammons wrote:
I wanted to check if anyone was aware of a setting on RedHat box for
enabling the PROCTITLE event type for audit logs?
Nope.
Is there any difference between RedHat and CentOS?
I have seen studies that show there are differences.
I have one box running RedHat 7.3 and another running CentOS 7.3,
with
auditd enabled on both with the same rules. However, only the RedHat box is
populating the event type PROCTITLE - the CentOS box does not.
You might move that box to Centos 7.4. The proctitle records was a kernel
enhancement shipped in RHEL 7.4.
-Steve
I would like to get the PROCTITLE event type working on my CentOS box
as
well, if possible, but I cannot find any documentation online about anyone
else having this issue and how to resolve.
Thanks for your time.
Joshua Ammons Advanced SIEM Engineer, Cybersecurity
Global Business Services