From mboxrd@z Thu Jan  1 00:00:00 1970
From: Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>
Subject: Re: Is audit=1 still required for RHEL 7?
Date: Tue, 06 Jan 2015 12:16 -0700
Message-ID: <3347865.oePFyplibZ@scrapy.abaqis.com>
References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <1805905.fjKhBfE3L9@x2>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1482728801444825642=="
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1805905.fjKhBfE3L9@x2>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com


--===============1482728801444825642==
Content-Type: multipart/signed; boundary="nextPart2706050.RUWP51E15d";
	micalg="pgp-sha256"; protocol="application/pgp-signature"


--nextPart2706050.RUWP51E15d
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"

On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> > I have been digging around trying to find the answer to the above,
> > hopefully I didn't miss something obvious. It was for RHEL < 7 is i=
t
> > still for RHEL 7? Or has systemd done some magic to remove that nee=
d?
>=20
> AFAIK, all linux kernels from all distributions have the same need. W=
hat
> that flag does is enable the audit system. When the audit system is e=
nabled
> and every time there is a fork, the TIF_AUDIT flag is added to the pr=
ocess.
> This make the process auditable.
>=20
> Without this flag, the process cannot be audited...ever. So, if syste=
md was
> to do some magic (and it doesn't), then systemd itself would not be
> auditable nor any process it creates until audit became enabled.
>=20
> -Steve

Thanks Steve, I just wanted to check, I couldn't find anything explicit=
ly=20
mentioning this. I think I'll open a bug for the SCAP security guide ab=
out=20
this.=20

=2DErinn
--nextPart2706050.RUWP51E15d
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAABCAAGBQJUrDR1AAoJEFg7BmJL2iPOFkUH/AjrH0E/04bYl8dpxqzIZaeL
Ztc4o9ahL0yf3Avo97npjvmtQSL6X1Auqsnhrhh2BKKSBdcAbbeE+k5+hHF84v3f
IK8SvDvwszwHZOvMVIO3WcPFO4OuBaXOBVOM2pB4A+QMbh8BYxTh9NTEthvIZ8Yq
WsypDhsEQ2XaNe+0NkB3sKdD1ZByxmKfGEGwvbW5GSHr4UF5Rv2LXhQp+XP8rTNi
iq7ZgUB65W4IKQgp0ziFKQgAiNmomC1kgU4T0b+e0tFbqOc8OkYarwNpua8e8joP
cDBGmpvBfdB6G6fmqUMGi7qdQ1FpE/cC3nukV6mtEJSRk7hDBxQxkaIuEY/etB8=
=3Nd8
-----END PGP SIGNATURE-----

--nextPart2706050.RUWP51E15d--


--===============1482728801444825642==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============1482728801444825642==--