From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: rhel6/7 question
Date: Fri, 12 Sep 2014 10:22:31 -0400
Message-ID: <2089155.agMu1aDU8W@x2>
References: <5412FDEF.2060508@magitekltd.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5412FDEF.2060508@magitekltd.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Friday, September 12, 2014 09:06:39 AM LC Bruzenak wrote:
> Are there any issues with a RHEL7 auditd collecting events from RHEL6
> submitters?

To my knowlege, there are no issues. Its pretty much the same software on both 
systems.

> How about any interpretation issues, on the RHEL7 side, of these events?

Just the usual user name/group interpretation issue. But if you spot anything 
else, let me know. With the ausearch-test application, I have been working to 
make interpretation and searching universally correct. This is only achieved 
with the latest audit packages.

As an aside, I have found that we also need an audit validation suite. What 
this would do is have someone start a system, login, logout, log back in, shut 
down the system, reboot and run the test to see if all necessary events have 
been generated, no duplicates, no spurious events, and fields are correct.

-Steve