From: "Burak Gürer" <burak4burak@msn.com>
To: Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>,
Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Is audit=1 still required for RHEL 7?
Date: Thu, 08 Jan 2015 12:12:14 +0200 [thread overview]
Message-ID: <54AE57FE.3000508@msn.com> (raw)
In-Reply-To: <3347865.oePFyplibZ@scrapy.abaqis.com>
[-- Attachment #1.1: Type: text/plain, Size: 1839 bytes --]
Hi everyone!
first of all sorry for my bad english!
i could not accomplish to get rid of from auid=4294967295 issue
i have implemented that suggestions:
https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt
but not succeed.
is there any other reasons or solutions?
by the way suggestions in the links, is it important to where we put the
suggested confs:
e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"
and further are kernel or audit package versions important?
If anyone can help with this it will be very helpful.
Regards,
On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>>> I have been digging around trying to find the answer to the above,
>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>>> still for RHEL 7? Or has systemd done some magic to remove that need?
>> AFAIK, all linux kernels from all distributions have the same need. What
>> that flag does is enable the audit system. When the audit system is enabled
>> and every time there is a fork, the TIF_AUDIT flag is added to the process.
>> This make the process auditable.
>>
>> Without this flag, the process cannot be audited...ever. So, if systemd was
>> to do some magic (and it doesn't), then systemd itself would not be
>> auditable nor any process it creates until audit became enabled.
>>
>> -Steve
> Thanks Steve, I just wanted to check, I couldn't find anything explicitly
> mentioning this. I think I'll open a bug for the SCAP security guide about
> this.
>
> -Erinn
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 3163 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2015-01-08 10:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 18:54 Is audit=1 still required for RHEL 7? Erinn Looney-Triggs
2015-01-06 19:13 ` Steve Grubb
2015-01-06 19:16 ` Erinn Looney-Triggs
2015-01-08 10:12 ` Burak Gürer [this message]
2015-01-08 13:03 ` Steve Grubb
2015-01-08 13:33 ` Burak Gürer
2015-01-08 14:13 ` Steve Grubb
2015-01-12 10:12 ` auid=4294967295 issue Burak Gürer
2015-01-12 14:54 ` Steve Grubb
2015-01-08 16:39 ` Audit rotate David Flatley
2015-01-08 16:46 ` Steve Grubb
2015-01-08 17:17 ` David Flatley
2015-01-08 17:23 ` Steve Grubb
2015-01-08 17:47 ` David Flatley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AE57FE.3000508@msn.com \
--to=burak4burak@msn.com \
--cc=erinn.looneytriggs@gmail.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.