From: "Burak Gürer" <burak4burak@msn.com>
To: Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>,
Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Is audit=1 still required for RHEL 7?
Date: Thu, 08 Jan 2015 12:12:14 +0200 [thread overview]
Message-ID: <54AE57FE.3000508@msn.com> (raw)
In-Reply-To: <3347865.oePFyplibZ@scrapy.abaqis.com>
[-- Attachment #1.1: Type: text/plain, Size: 1839 bytes --]
Hi everyone!
first of all sorry for my bad english!
i could not accomplish to get rid of from auid=4294967295 issue
i have implemented that suggestions:
https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.txt
but not succeed.
is there any other reasons or solutions?
by the way suggestions in the links, is it important to where we put the
suggested confs:
e.g. which line to put "audit=1"
or which line to put "session required pam_loginuid.so"
and further are kernel or audit package versions important?
If anyone can help with this it will be very helpful.
Regards,
On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>>> I have been digging around trying to find the answer to the above,
>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>>> still for RHEL 7? Or has systemd done some magic to remove that need?
>> AFAIK, all linux kernels from all distributions have the same need. What
>> that flag does is enable the audit system. When the audit system is enabled
>> and every time there is a fork, the TIF_AUDIT flag is added to the process.
>> This make the process auditable.
>>
>> Without this flag, the process cannot be audited...ever. So, if systemd was
>> to do some magic (and it doesn't), then systemd itself would not be
>> auditable nor any process it creates until audit became enabled.
>>
>> -Steve
> Thanks Steve, I just wanted to check, I couldn't find anything explicitly
> mentioning this. I think I'll open a bug for the SCAP security guide about
> this.
>
> -Erinn
>
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 3163 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
next prev parent reply other threads:[~2015-01-08 10:12 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 18:54 Is audit=1 still required for RHEL 7? Erinn Looney-Triggs
2015-01-06 19:13 ` Steve Grubb
2015-01-06 19:16 ` Erinn Looney-Triggs
2015-01-08 10:12 ` Burak Gürer [this message]
2015-01-08 13:03 ` Steve Grubb
2015-01-08 13:33 ` Burak Gürer
2015-01-08 14:13 ` Steve Grubb
2015-01-12 10:12 ` auid=4294967295 issue Burak Gürer
2015-01-12 14:54 ` Steve Grubb
2015-01-08 16:39 ` Audit rotate David Flatley
2015-01-08 16:46 ` Steve Grubb
2015-01-08 17:17 ` David Flatley
2015-01-08 17:23 ` Steve Grubb
2015-01-08 17:47 ` David Flatley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54AE57FE.3000508@msn.com \
--to=burak4burak@msn.com \
--cc=erinn.looneytriggs@gmail.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox