Is audit=1 still required for RHEL 7?
Steve Grubb
sgrubb at redhat.com
Thu Jan 8 14:13:08 UTC 2015
Hello,
On Thursday, January 08, 2015 03:33:08 PM Burak Gürer wrote:
> On 08-01-2015 15:03, Steve Grubb wrote:
> > On Thursday, January 08, 2015 12:12:14 PM Burak Gürer wrote:
> >> Hi everyone!
> >>
> >> first of all sorry for my bad english!
> >>
> >> i could not accomplish to get rid of from auid=4294967295 issue
> >>
> >> i have implemented that suggestions:
> >>
> >> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
> >> https://people.redhat.com/sgrubb/audit/audit-faq.txt
> >>
> >> but not succeed.
> >> is there any other reasons or solutions?
> >
> > There is a chance that --with-audit or --enable-audit was not used in the
> > configuration of the utilities. I can't say for certain without knowing
> > more about your distribution.
>
> distrubution is:
>
> [root at test /root]# lsb_release -a
>
> LSB Version:
> :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.
> :1-ia32:graphics-3.1-noarch
> Distributor ID: RedHatEnterpriseServer
> Description: Red Hat Enterprise Linux Server release 5.2 (Tikanga)
> Release: 5.2
> Codename: Tikanga
OK. Then I know that auditing is enabled in everything possible.
> >> by the way suggestions in the links, is it important to where we put the
> >> suggested confs:
> >>
> >> e.g. which line to put "audit=1"
> >
> > That is a kernel boot parameter.
>
> is this correct?:
>
> # grub.conf generated by anaconda
> #
> # Note that you do not have to rerun grub after making changes to this file
> # NOTICE: You have a /boot partition. This means that
> # all kernel and initrd paths are relative to /boot/, eg.
> # root (hd0,0)
> # kernel /vmlinuz-version ro root=/dev/sda2
> # initrd /initrd-version.img
> #boot=/dev/sda
> default=0
> timeout=5
> splashimage=(hd0,0)/grub/splash.xpm.gz
> hiddenmenu
> title Red Hat Enterprise Linux Server (2.6.18-92.el5)
> root (hd0,0)
> kernel /vmlinuz-2.6.18-92.el5 ro root=LABEL=/ *audit=1* rhgb quiet
Yes, this is correct, assuming that the '*' was added just for emphasis but is
absent in the real file. That must be in place for each bootable kernel for it
to universally work.
> initrd /initrd-2.6.18-92.el5.img
>
> >> or which line to put "session required pam_loginuid.so"
> >
> > This would go into the pam configuration of system entry points. For
> > example, it would be in /etc/pam.d/login. But it would NOT go into
> > /etc/pam.d/system- auth or /etc/pam.d/su. This should already be
> > configured by your distribution and you shouldn't need to adjust it.
> >
> >> and further are kernel or audit package versions important?
> >
> > Yes. But not to the two questions you ask above. More important is whether
> > or not auditing is enabled in the packages by your distribution. The
> > audit facilities from your question has been available almost 10 years.
> > So, I wonder if auditing is enabled.
>
> so how can i check if auditing is enabled?
For RHEL5, I know its enabled. But based on your questions above, you are
asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these,
# cat /proc/cmdline
and
# cat /proc/self/loginuid
would let you check. In the first, make sure audit=1 is there and in the second
case, the output should be the uid under which you logged into the system.
-Steve
More information about the Linux-audit
mailing list