From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditing failed kill events
Date: Tue, 21 Aug 2007 14:16:44 -0400
Message-ID: <200708211416.45503.sgrubb@redhat.com>
References: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D37@XMBTX113.northgrum.com>
	<200708211150.46895.sgrubb@redhat.com>
	<6F2A8C9C4C5BE446A17B745BBC856EEB5A6D3E@XMBTX113.northgrum.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <6F2A8C9C4C5BE446A17B745BBC856EEB5A6D3E@XMBTX113.northgrum.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Henning, Arthur C. (CSL)" <art.henning@ngc.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday 21 August 2007 13:50:24 Henning, Arthur C. (CSL) wrote:
> > Audit 1.5.6-1.i386
>
> That's on RHEL?
> Art >> RHEL 5

audit-1.5.5-7 is scheduled for RHEL5.  :)


> You should have a OBJ_PID record, too.
> Art >> Don't find it. I use ausearch -sv no > [filename]. Open the file
> and find no OBJ_PID. Perhaps my rule isn't configured to allow this to
> be captured.

You need a newer kernel. This was fixed in our LSPP work and will be in 5.1. 
You can find the LSPP kernels here:

ftp://ftp.redhat.com/pub/redhat/linux/eal/EAL4_RHEL5

But there have probably been some security releases since LSPP was final, so 
you'd want to switch to the 5.1 kernel as soon as its out. 

-Steve