Re: Is audit=1 still required for RHEL 7?

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
Subject: Re: Is audit=1 still required for RHEL 7?
Date: Tue, 06 Jan 2015 14:13:27 -0500	[thread overview]
Message-ID: <1805905.fjKhBfE3L9@x2> (raw)
In-Reply-To: <1676603.MYLvDDvdka@scrapy.abaqis.com>

On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> I have been digging around trying to find the answer to the above, hopefully
> I didn't miss something obvious. It was for RHEL < 7 is it still for RHEL
> 7? Or has systemd done some magic to remove that need?

AFAIK, all linux kernels from all distributions have the same need. What that 
flag does is enable the audit system. When the audit system is enabled and 
every time there is a fork, the TIF_AUDIT flag is added to the process. This 
make the process auditable. 

Without this flag, the process cannot be audited...ever. So, if systemd was to 
do some magic (and it doesn't), then systemd itself would not be auditable nor 
any process it creates until audit became enabled.

-Steve

next prev parent reply	other threads:[~2015-01-06 19:13 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-06 18:54 Is audit=1 still required for RHEL 7? Erinn Looney-Triggs
2015-01-06 19:13 ` Steve Grubb [this message]
2015-01-06 19:16   ` Erinn Looney-Triggs
2015-01-08 10:12     ` Burak Gürer
2015-01-08 13:03       ` Steve Grubb
2015-01-08 13:33         ` Burak Gürer
2015-01-08 14:13           ` Steve Grubb
2015-01-12 10:12             ` auid=4294967295 issue Burak Gürer
2015-01-12 14:54               ` Steve Grubb
2015-01-08 16:39         ` Audit rotate David Flatley
2015-01-08 16:46           ` Steve Grubb
2015-01-08 17:17             ` David Flatley
2015-01-08 17:23               ` Steve Grubb
2015-01-08 17:47                 ` David Flatley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1805905.fjKhBfE3L9@x2 \
    --to=sgrubb@redhat.com \
    --cc=erinn.looneytriggs@gmail.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox