Hi everyone!
first of all sorry for my bad english!
i could not accomplish to get rid of from auid=4294967295 issue
i have implemented that suggestions:
https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt
but not succeed.
is there any other reasons or solutions?
by the way suggestions in the links, is it important to where we
put the suggested confs:
e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"
and further are kernel or audit package versions important?
If anyone can help with this it will be very helpful.
Regards,
On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
I have been digging around trying to find the answer to the above,
hopefully I didn't miss something obvious. It was for RHEL < 7 is it
still for RHEL 7? Or has systemd done some magic to remove that need?
AFAIK, all linux kernels from all distributions have the same need. What
that flag does is enable the audit system. When the audit system is enabled
and every time there is a fork, the TIF_AUDIT flag is added to the process.
This make the process auditable.
Without this flag, the process cannot be audited...ever. So, if systemd was
to do some magic (and it doesn't), then systemd itself would not be
auditable nor any process it creates until audit became enabled.
-Steve
Thanks Steve, I just wanted to check, I couldn't find anything explicitly
mentioning this. I think I'll open a bug for the SCAP security guide about
this.
-Erinn
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit