Re: Auditing failed kill events
On Tuesday 21 August 2007 13:50:24 Henning, Arthur C. (CSL) wrote:
> Audit 1.5.6-1.i386
That's on RHEL?
Art >> RHEL 5
audit-1.5.5-7 is scheduled for RHEL5. :)
You should have a OBJ_PID record, too.
Art >> Don't find it. I use ausearch -sv no > [filename]. Open the file
and find no OBJ_PID. Perhaps my rule isn't configured to allow this to
be captured.
You need a newer kernel. This was fixed in our LSPP work and will be in 5.1.
You can find the LSPP kernels here:
ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5
But there have probably been some security releases since LSPP was final, so
you'd want to switch to the 5.1 kernel as soon as its out.
-Steve