From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Is audit=1 still required for RHEL 7? Date: Thu, 08 Jan 2015 08:03:51 -0500 Message-ID: <1463074.0R9kLf2U71@x2> References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <3347865.oePFyplibZ@scrapy.abaqis.com> <54AE57FE.3000508@msn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <54AE57FE.3000508@msn.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: burak4burak@msn.com, linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, January 08, 2015 12:12:14 PM Burak G=FCrer wrote: > Hi everyone! > = > first of all sorry for my bad english! > = > i could not accomplish to get rid of from auid=3D4294967295 issue > = > i have implemented that suggestions: > = > https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html > https://people.redhat.com/sgrubb/audit/audit-faq.txt > = > but not succeed. > is there any other reasons or solutions? There is a chance that --with-audit or --enable-audit was not used in the = configuration of the utilities. I can't say for certain without knowing mor= e = about your distribution. > by the way suggestions in the links, is it important to where we put the > suggested confs: > = > e.g. which line to put "audit=3D1" That is a kernel boot parameter. > or which line to put "session required pam_loginuid.so" This would go into the pam configuration of system entry points. For exampl= e, = it would be in /etc/pam.d/login. But it would NOT go into /etc/pam.d/system- auth or /etc/pam.d/su. This should already be configured by your distributi= on = and you shouldn't need to adjust it. > and further are kernel or audit package versions important? Yes. But not to the two questions you ask above. More important is whether = or = not auditing is enabled in the packages by your distribution. The audit = facilities from your question has been available almost 10 years. So, I won= der = if auditing is enabled. -Steve > If anyone can help with this it will be very helpful. > = > Regards, > = > On 06-01-2015 21:16, Erinn Looney-Triggs wrote: > > On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote: > >> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote: > >>> I have been digging around trying to find the answer to the above, > >>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it > >>> still for RHEL 7? Or has systemd done some magic to remove that need? > >> = > >> AFAIK, all linux kernels from all distributions have the same need. Wh= at > >> that flag does is enable the audit system. When the audit system is > >> enabled > >> and every time there is a fork, the TIF_AUDIT flag is added to the > >> process. > >> This make the process auditable. > >> = > >> Without this flag, the process cannot be audited...ever. So, if systemd > >> was > >> to do some magic (and it doesn't), then systemd itself would not be > >> auditable nor any process it creates until audit became enabled. > >> = > >> -Steve > > = > > Thanks Steve, I just wanted to check, I couldn't find anything explicit= ly > > mentioning this. I think I'll open a bug for the SCAP security guide ab= out > > this. > > = > > -Erinn > > = > > = > > -- > > Linux-audit mailing list > > Linux-audit@redhat.com > > https://www.redhat.com/mailman/listinfo/linux-audit