Re: Is audit=1 still required for RHEL 7?

[Steve Grubb <sgrubb@redhat.com>]

Hello,

On Thursday, January 08, 2015 03:33:08 PM Burak Gürer wrote:
> On 08-01-2015 15:03, Steve Grubb wrote:
> > On Thursday, January 08, 2015 12:12:14 PM Burak Gürer wrote:
> >> Hi everyone!
> >> 
> >> first of all sorry for my bad english!
> >> 
> >> i could not accomplish to get rid of from auid=4294967295 issue
> >> 
> >> i have implemented that suggestions:
> >> 
> >> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
> >> https://people.redhat.com/sgrubb/audit/audit-faq.txt
> >> 
> >> but not succeed.
> >> is there any other reasons or solutions?
> > 
> > There is a chance that --with-audit or --enable-audit was not used in the
> > configuration of the utilities. I can't say for certain without knowing
> > more about your distribution.
> 
> distrubution is:
> 
> [root@test /root]# lsb_release -a
> 
> LSB Version:
> :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.
> :1-ia32:graphics-3.1-noarch
> Distributor ID:    RedHatEnterpriseServer
> Description:    Red Hat Enterprise Linux Server release 5.2 (Tikanga)
> Release:    5.2
> Codename:    Tikanga

OK. Then I know that auditing is enabled in everything possible.


> >> by the way suggestions in the links, is it important to where we put the
> >> suggested confs:
> >> 
> >> e.g. which line to put "audit=1"
> > 
> > That is a kernel boot parameter.
> 
> is this correct?:
> 
> # grub.conf generated by anaconda
> #
> # Note that you do not have to rerun grub after making changes to this file
> # NOTICE:  You have a /boot partition.  This means that
> #          all kernel and initrd paths are relative to /boot/, eg.
> #          root (hd0,0)
> #          kernel /vmlinuz-version ro root=/dev/sda2
> #          initrd /initrd-version.img
> #boot=/dev/sda
> default=0
> timeout=5
> splashimage=(hd0,0)/grub/splash.xpm.gz
> hiddenmenu
> title Red Hat Enterprise Linux Server (2.6.18-92.el5)
>      root (hd0,0)
>      kernel /vmlinuz-2.6.18-92.el5 ro root=LABEL=/ *audit=1* rhgb quiet

Yes, this is correct, assuming that the '*' was added just for emphasis but is 
absent in the real file. That must be in place for each bootable kernel for it 
to universally work.


>      initrd /initrd-2.6.18-92.el5.img
> 
> >> or which line to put "session required pam_loginuid.so"
> > 
> > This would go into the pam configuration of system entry points. For
> > example, it would be in /etc/pam.d/login. But it would NOT go into
> > /etc/pam.d/system- auth or /etc/pam.d/su. This should already be
> > configured by your distribution and you shouldn't need to adjust it.
> > 
> >> and further are kernel or audit package versions important?
> > 
> > Yes. But not to the two questions you ask above. More important is whether
> > or not auditing is enabled in the packages by your distribution. The
> > audit facilities from your question has been available almost 10 years.
> > So, I wonder if auditing is enabled.
> 
> so how can i check if auditing is enabled?

For RHEL5, I know its enabled. But based on your questions above, you are 
asking 2 things. Where to put audit=1 and if pam_loginuid is right. For these, 

# cat /proc/cmdline

and

# cat /proc/self/loginuid

would let you check. In the first, make sure audit=1 is there and in the second 
case, the output should be the uid under which you logged into the system.

-Steve