From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Latest Audit on RHEL 5.2
Date: Mon, 17 Nov 2008 12:37:36 -0500
Message-ID: <200811171237.36672.sgrubb@redhat.com>
References: <2121478848.3051226506586159.JavaMail.root@zimbra.group-w-inc.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <2121478848.3051226506586159.JavaMail.root@zimbra.group-w-inc.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com, Dan Gruhn <Dan.Gruhn@groupw.com>
List-Id: linux-audit@redhat.com

On Wednesday 12 November 2008 11:16:26 Dan Gruhn wrote:
> 1) I have read the HowTo at
> http://people.redhat.com/sgrubb/audit/prelude.txt but it seems rather o=
ld
> as it talks about audit 1.6.6 to 1.6.7 upgrading

This is a particular warning for anyone that ever installed and used the =
audit=20
1.6.6 prelude plugin because the name of the sensor being registered was=20
changed at the prelude developer's request. If you never installed that=20
version, then that note doesn't apply to you. I updated the text to hopef=
ully=20
make that more plain.=20

I also added a new Deployment Tips section to explain a little about=20
maintaining & tuning the setup.


> and updates to come after things have been checked out. =C2=A0Does anyo=
ne have
> any updates to this procedure that will be helpful?

The update I need to make to the text was that we assigned a new UID/GID =
pair=20
to prelude out of the pool of UIDs reserved for daemons. I think the Fedo=
ra=20
10 prelude packages create that user if it doesn't exist. But since Fedor=
a 10=20
is not shipping yet, I haven't spent the time testing out the new UID/GID=
=20
pair. I just wanted to get it reserved since that is a much longer proces=
s=20
requiring coordination with other groups inside Red Hat.


> 2) The pre-reqs for audit-1.7.9-1.src.rpm says it needs glibc-kernheade=
rs
> >=3D 3.0-14. I must not understand what this is asking for. Is this som=
e kind
> of abbreviation? =C2=A0Where can I find this?

This is the kernel headers shipped with the 2.6 kernel. RHEL5 is OK. RHEL=
4 is=20
not.

-Steve