From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Is audit=1 still required for RHEL 7?
Date: Tue, 06 Jan 2015 14:13:27 -0500
Message-ID: <1805905.fjKhBfE3L9@x2>
References: <1676603.MYLvDDvdka@scrapy.abaqis.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1676603.MYLvDDvdka@scrapy.abaqis.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
List-Id: linux-audit@redhat.com

On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> I have been digging around trying to find the answer to the above, hopefully
> I didn't miss something obvious. It was for RHEL < 7 is it still for RHEL
> 7? Or has systemd done some magic to remove that need?

AFAIK, all linux kernels from all distributions have the same need. What that 
flag does is enable the audit system. When the audit system is enabled and 
every time there is a fork, the TIF_AUDIT flag is added to the process. This 
make the process auditable. 

Without this flag, the process cannot be audited...ever. So, if systemd was to 
do some magic (and it doesn't), then systemd itself would not be auditable nor 
any process it creates until audit became enabled.

-Steve