Re: Latest Audit on RHEL 5.2

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 12 November 2008 11:16:26 Dan Gruhn wrote:
> 1) I have read the HowTo at
> http://people.redhat.com/sgrubb/audit/prelude.txt but it seems rather old
> as it talks about audit 1.6.6 to 1.6.7 upgrading

This is a particular warning for anyone that ever installed and used the audit 
1.6.6 prelude plugin because the name of the sensor being registered was 
changed at the prelude developer's request. If you never installed that 
version, then that note doesn't apply to you. I updated the text to hopefully 
make that more plain. 

I also added a new Deployment Tips section to explain a little about 
maintaining & tuning the setup.


> and updates to come after things have been checked out.  Does anyone have
> any updates to this procedure that will be helpful?

The update I need to make to the text was that we assigned a new UID/GID pair 
to prelude out of the pool of UIDs reserved for daemons. I think the Fedora 
10 prelude packages create that user if it doesn't exist. But since Fedora 10 
is not shipping yet, I haven't spent the time testing out the new UID/GID 
pair. I just wanted to get it reserved since that is a much longer process 
requiring coordination with other groups inside Red Hat.


> 2) The pre-reqs for audit-1.7.9-1.src.rpm says it needs glibc-kernheaders
> >= 3.0-14. I must not understand what this is asking for. Is this some kind
> of abbreviation?  Where can I find this?

This is the kernel headers shipped with the 2.6 kernel. RHEL5 is OK. RHEL4 is 
not.

-Steve