type=PROCTITLE events not being populated in /var/log/audit/audit.log
Steve Grubb
sgrubb at redhat.com
Wed Jan 10 23:22:10 UTC 2018
Hello,
On Wednesday, January 10, 2018 5:41:03 PM EST Joshua Ammons wrote:
> I wanted to check if anyone was aware of a setting on RedHat box for
> enabling the PROCTITLE event type for audit logs?
Nope.
> Is there any difference between RedHat and CentOS?
I have seen studies that show there are differences.
> I have one box running RedHat 7.3 and another running CentOS 7.3, with
> auditd enabled on both with the same rules. However, only the RedHat box is
> populating the event type PROCTITLE - the CentOS box does not.
You might move that box to Centos 7.4. The proctitle records was a kernel
enhancement shipped in RHEL 7.4.
-Steve
> I would like to get the PROCTITLE event type working on my CentOS box as
> well, if possible, but I cannot find any documentation online about anyone
> else having this issue and how to resolve.
>
> Thanks for your time.
>
> Joshua Ammons Advanced SIEM Engineer, Cybersecurity
> Global Business Services
More information about the Linux-audit
mailing list