Re: Is audit=1 still required for RHEL 7?
On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> I have been digging around trying to find the answer to the above,
> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
> still for RHEL 7? Or has systemd done some magic to remove that need?
AFAIK, all linux kernels from all distributions have the same need. What
that flag does is enable the audit system. When the audit system is enabled
and every time there is a fork, the TIF_AUDIT flag is added to the process.
This make the process auditable.
Without this flag, the process cannot be audited...ever. So, if systemd was
to do some magic (and it doesn't), then systemd itself would not be
auditable nor any process it creates until audit became enabled.
-Steve
Thanks Steve, I just wanted to check, I couldn't find anything explicitly
mentioning this. I think I'll open a bug for the SCAP security guide about
this.
-Erinn
Attachments:
- signature.asc (application/pgp-signature — 473 bytes)