Re: Is audit=1 still required for RHEL 7?
Hi everyone!
first of all sorry for my bad english!
i could not accomplish to get rid of from auid=4294967295 issue
i have implemented that suggestions:
https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt
but not succeed.
is there any other reasons or solutions?
by the way suggestions in the links, is it important to where we put the
suggested confs:
e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"
and further are kernel or audit package versions important?
If anyone can help with this it will be very helpful.
Regards,
On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>> I have been digging around trying to find the answer to the above,
>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>> still for RHEL 7? Or has systemd done some magic to remove that need?
> AFAIK, all linux kernels from all distributions have the same need. What
> that flag does is enable the audit system. When the audit system is enabled
> and every time there is a fork, the TIF_AUDIT flag is added to the process.
> This make the process auditable.
>
> Without this flag, the process cannot be audited...ever. So, if systemd was
> to do some magic (and it doesn't), then systemd itself would not be
> auditable nor any process it creates until audit became enabled.
>
> -Steve
Thanks Steve, I just wanted to check, I couldn't find anything explicitly
mentioning this. I think I'll open a bug for the SCAP security guide about
this.
-Erinn
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Attachments:
- attachment.html (text/html — 3.0 KB)