From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Is audit=1 still required for RHEL 7? Date: Thu, 08 Jan 2015 09:13:08 -0500 Message-ID: <2247361.QvknK8CF0u@x2> References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <1463074.0R9kLf2U71@x2> <54AE8714.1000904@msn.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <54AE8714.1000904@msn.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: burak4burak@msn.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hello, On Thursday, January 08, 2015 03:33:08 PM Burak G=FCrer wrote: > On 08-01-2015 15:03, Steve Grubb wrote: > > On Thursday, January 08, 2015 12:12:14 PM Burak G=FCrer wrote: > >> Hi everyone! > >> = > >> first of all sorry for my bad english! > >> = > >> i could not accomplish to get rid of from auid=3D4294967295 issue > >> = > >> i have implemented that suggestions: > >> = > >> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html > >> https://people.redhat.com/sgrubb/audit/audit-faq.txt > >> = > >> but not succeed. > >> is there any other reasons or solutions? > > = > > There is a chance that --with-audit or --enable-audit was not used in t= he > > configuration of the utilities. I can't say for certain without knowing > > more about your distribution. > = > distrubution is: > = > [root@test /root]# lsb_release -a > = > LSB Version: > :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics= -3. > :1-ia32:graphics-3.1-noarch > Distributor ID: RedHatEnterpriseServer > Description: Red Hat Enterprise Linux Server release 5.2 (Tikanga) > Release: 5.2 > Codename: Tikanga OK. Then I know that auditing is enabled in everything possible. > >> by the way suggestions in the links, is it important to where we put t= he > >> suggested confs: > >> = > >> e.g. which line to put "audit=3D1" > > = > > That is a kernel boot parameter. > = > is this correct?: > = > # grub.conf generated by anaconda > # > # Note that you do not have to rerun grub after making changes to this fi= le > # NOTICE: You have a /boot partition. This means that > # all kernel and initrd paths are relative to /boot/, eg. > # root (hd0,0) > # kernel /vmlinuz-version ro root=3D/dev/sda2 > # initrd /initrd-version.img > #boot=3D/dev/sda > default=3D0 > timeout=3D5 > splashimage=3D(hd0,0)/grub/splash.xpm.gz > hiddenmenu > title Red Hat Enterprise Linux Server (2.6.18-92.el5) > root (hd0,0) > kernel /vmlinuz-2.6.18-92.el5 ro root=3DLABEL=3D/ *audit=3D1* rhgb q= uiet Yes, this is correct, assuming that the '*' was added just for emphasis but= is = absent in the real file. That must be in place for each bootable kernel for= it = to universally work. > initrd /initrd-2.6.18-92.el5.img > = > >> or which line to put "session required pam_loginuid.so" > > = > > This would go into the pam configuration of system entry points. For > > example, it would be in /etc/pam.d/login. But it would NOT go into > > /etc/pam.d/system- auth or /etc/pam.d/su. This should already be > > configured by your distribution and you shouldn't need to adjust it. > > = > >> and further are kernel or audit package versions important? > > = > > Yes. But not to the two questions you ask above. More important is whet= her > > or not auditing is enabled in the packages by your distribution. The > > audit facilities from your question has been available almost 10 years. > > So, I wonder if auditing is enabled. > = > so how can i check if auditing is enabled? For RHEL5, I know its enabled. But based on your questions above, you are = asking 2 things. Where to put audit=3D1 and if pam_loginuid is right. For t= hese, = # cat /proc/cmdline and # cat /proc/self/loginuid would let you check. In the first, make sure audit=3D1 is there and in the = second = case, the output should be the uid under which you logged into the system. -Steve