Is audit=1 still required for RHEL 7?
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Tue Jan 6 19:16:00 UTC 2015
On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> > I have been digging around trying to find the answer to the above,
> > hopefully I didn't miss something obvious. It was for RHEL < 7 is it
> > still for RHEL 7? Or has systemd done some magic to remove that need?
>
> AFAIK, all linux kernels from all distributions have the same need. What
> that flag does is enable the audit system. When the audit system is enabled
> and every time there is a fork, the TIF_AUDIT flag is added to the process.
> This make the process auditable.
>
> Without this flag, the process cannot be audited...ever. So, if systemd was
> to do some magic (and it doesn't), then systemd itself would not be
> auditable nor any process it creates until audit became enabled.
>
> -Steve
Thanks Steve, I just wanted to check, I couldn't find anything explicitly
mentioning this. I think I'll open a bug for the SCAP security guide about
this.
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150106/ff2735ca/attachment.sig>
More information about the Linux-audit
mailing list