Is audit=1 still required for RHEL 7?
Burak Gürer
burak4burak at msn.com
Thu Jan 8 10:12:14 UTC 2015
Hi everyone!
first of all sorry for my bad english!
i could not accomplish to get rid of from auid=4294967295 issue
i have implemented that suggestions:
https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt
but not succeed.
is there any other reasons or solutions?
by the way suggestions in the links, is it important to where we put the
suggested confs:
e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"
and further are kernel or audit package versions important?
If anyone can help with this it will be very helpful.
Regards,
On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>>> I have been digging around trying to find the answer to the above,
>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>>> still for RHEL 7? Or has systemd done some magic to remove that need?
>> AFAIK, all linux kernels from all distributions have the same need. What
>> that flag does is enable the audit system. When the audit system is enabled
>> and every time there is a fork, the TIF_AUDIT flag is added to the process.
>> This make the process auditable.
>>
>> Without this flag, the process cannot be audited...ever. So, if systemd was
>> to do some magic (and it doesn't), then systemd itself would not be
>> auditable nor any process it creates until audit became enabled.
>>
>> -Steve
> Thanks Steve, I just wanted to check, I couldn't find anything explicitly
> mentioning this. I think I'll open a bug for the SCAP security guide about
> this.
>
> -Erinn
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150108/b55e8310/attachment.htm>
More information about the Linux-audit
mailing list