type=PROCTITLE events not being populated in /var/log/audit/audit.log

Steve Grubb sgrubb at redhat.com
Wed Jan 10 23:22:10 UTC 2018


On Wednesday, January 10, 2018 5:41:03 PM EST Joshua Ammons wrote:
> I wanted to check if anyone was aware of a setting on RedHat box for
> enabling the PROCTITLE event type for audit logs?


> Is there any difference between RedHat and CentOS?

I have seen studies that show there are differences.

> I have one box running RedHat 7.3 and another running CentOS 7.3, with
> auditd enabled on both with the same rules. However, only the RedHat box is
> populating the event type PROCTITLE - the CentOS box does not.

You might move that box to Centos 7.4. The proctitle records was a kernel 
enhancement shipped in RHEL 7.4.


> I would like to get the PROCTITLE event type working on my CentOS box as
> well, if possible, but I cannot find any documentation online about anyone
> else having this issue and how to resolve.
> Thanks for your time.
> Joshua Ammons Advanced SIEM Engineer, Cybersecurity
> Global Business Services

More information about the Linux-audit mailing list