Auditing failed kill events
Henning, Arthur C. (CSL)
art.henning at ngc.com
Tue Aug 21 21:19:42 UTC 2007
Is there way to FTP the needed LSPP files rather than downloading each
one individually?
Thanks,
Art Henning (CSL)
Enterprise IT Solutions
Northrop Grumman Corp.
art.henning at ngc.com
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Tuesday, August 21, 2007 1:17 PM
To: Henning, Arthur C. (CSL)
Cc: linux-audit at redhat.com
Subject: Re: Auditing failed kill events
On Tuesday 21 August 2007 13:50:24 Henning, Arthur C. (CSL) wrote:
> > Audit 1.5.6-1.i386
>
> That's on RHEL?
> Art >> RHEL 5
audit-1.5.5-7 is scheduled for RHEL5. :)
> You should have a OBJ_PID record, too.
> Art >> Don't find it. I use ausearch -sv no > [filename]. Open the
file
> and find no OBJ_PID. Perhaps my rule isn't configured to allow this to
> be captured.
You need a newer kernel. This was fixed in our LSPP work and will be in
5.1.
You can find the LSPP kernels here:
ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5
But there have probably been some security releases since LSPP was
final, so
you'd want to switch to the 5.1 kernel as soon as its out.
-Steve
More information about the Linux-audit
mailing list