Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
* type=PROCTITLE events not being populated in /var/log/audit/audit.log
@ 2018-01-10 22:41 Joshua Ammons
  2018-01-10 23:22 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Joshua Ammons @ 2018-01-10 22:41 UTC (permalink / raw)
  To: linux-audit@redhat.com


[-- Attachment #1.1.1: Type: text/plain, Size: 945 bytes --]

Hello,

I wanted to check if anyone was aware of a setting on RedHat box for enabling the PROCTITLE event type for audit logs?  Is there any difference between RedHat and CentOS?  I have one box running RedHat 7.3 and another running CentOS 7.3, with auditd enabled on both with the same rules.  However, only the RedHat box is populating the event type PROCTITLE - the CentOS box does not.

I would like to get the PROCTITLE event type working on my CentOS box as well, if possible, but I cannot find any documentation online about anyone else having this issue and how to resolve.

Thanks for your time.

Joshua Ammons Advanced SIEM Engineer, Cybersecurity
Global Business Services
Office 479.204.4472 | Mobile 479.595.2291
Joshua.Ammons@walmart.com

Walmart
805 Moberly Ln
Bentonville, AR  72716
Save money. Live better.

[cid:image003.png@01D38A31.CCC17F20]<https://walmart.facebook.com/groups/435932993428953/?fref=nf>


[-- Attachment #1.1.2: Type: text/html, Size: 4796 bytes --]

[-- Attachment #1.2: image003.png --]
[-- Type: image/png, Size: 6820 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: type=PROCTITLE events not being populated in /var/log/audit/audit.log
  2018-01-10 22:41 type=PROCTITLE events not being populated in /var/log/audit/audit.log Joshua Ammons
@ 2018-01-10 23:22 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2018-01-10 23:22 UTC (permalink / raw)
  To: linux-audit

Hello,

On Wednesday, January 10, 2018 5:41:03 PM EST Joshua Ammons wrote:
> I wanted to check if anyone was aware of a setting on RedHat box for
> enabling the PROCTITLE event type for audit logs?

Nope.

> Is there any difference between RedHat and CentOS?

I have seen studies that show there are differences.

> I have one box running RedHat 7.3 and another running CentOS 7.3, with
> auditd enabled on both with the same rules. However, only the RedHat box is
> populating the event type PROCTITLE - the CentOS box does not.

You might move that box to Centos 7.4. The proctitle records was a kernel 
enhancement shipped in RHEL 7.4.

-Steve

> I would like to get the PROCTITLE event type working on my CentOS box as
> well, if possible, but I cannot find any documentation online about anyone
> else having this issue and how to resolve.
> 
> Thanks for your time.
> 
> Joshua Ammons Advanced SIEM Engineer, Cybersecurity
> Global Business Services

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-01-10 23:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-10 22:41 type=PROCTITLE events not being populated in /var/log/audit/audit.log Joshua Ammons
2018-01-10 23:22 ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox