Re: Is audit=1 still required for RHEL 7?
On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
I have been digging around trying to find the answer to the above,
hopefully
I didn't miss something obvious. It was for RHEL < 7 is it still for RHEL
7? Or has systemd done some magic to remove that need?
AFAIK, all linux kernels from all distributions have the same need. What that
flag does is enable the audit system. When the audit system is enabled and
every time there is a fork, the TIF_AUDIT flag is added to the process. This
make the process auditable.
Without this flag, the process cannot be audited...ever. So, if systemd was to
do some magic (and it doesn't), then systemd itself would not be auditable nor
any process it creates until audit became enabled.
-Steve