Re: Is audit=1 still required for RHEL 7?

["Burak Gürer" <burak4burak@msn.com>]

[-- Attachment #1.1: Type: text/plain, Size: 3941 bytes --]


On 08-01-2015 15:03, Steve Grubb wrote:
> On Thursday, January 08, 2015 12:12:14 PM Burak Gürer wrote:
>> Hi everyone!
>>
>> first of all sorry for my bad english!
>>
>> i could not accomplish to get rid of from auid=4294967295 issue
>>
>> i have implemented that suggestions:
>>
>> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html
>> https://people.redhat.com/sgrubb/audit/audit-faq.txt
>>
>> but not succeed.
>> is there any other reasons or solutions?
> There is a chance that --with-audit or --enable-audit was not used in the
> configuration of the utilities. I can't say for certain without knowing more
> about your distribution.
distrubution is:

[root@test /root]# lsb_release -a
LSB Version: 
:core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch
Distributor ID:    RedHatEnterpriseServer
Description:    Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Release:    5.2
Codename:    Tikanga
>> by the way suggestions in the links, is it important to where we put the
>> suggested confs:
>>
>> e.g. which line to put "audit=1"
> That is a kernel boot parameter.
is this correct?:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:  You have a /boot partition.  This means that
#          all kernel and initrd paths are relative to /boot/, eg.
#          root (hd0,0)
#          kernel /vmlinuz-version ro root=/dev/sda2
#          initrd /initrd-version.img
#boot=/dev/sda
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-92.el5)
     root (hd0,0)
     kernel /vmlinuz-2.6.18-92.el5 ro root=LABEL=/ *audit=1* rhgb quiet
     initrd /initrd-2.6.18-92.el5.img
>> or which line to put "session required pam_loginuid.so"
> This would go into the pam configuration of system entry points. For example,
> it would be in /etc/pam.d/login. But it would NOT go into /etc/pam.d/system-
> auth or /etc/pam.d/su. This should already be configured by your distribution
> and you shouldn't need to adjust it.
>
>> and further are kernel or audit package versions important?
> Yes. But not to the two questions you ask above. More important is whether or
> not auditing is enabled in the packages by your distribution. The audit
> facilities from your question has been available almost 10 years. So, I wonder
> if auditing is enabled.
so how can i check if auditing is enabled?
>
> -Steve
>
>> If anyone can help with this it will be very helpful.
>>
>> Regards,
>>
>>    On 06-01-2015 21:16, Erinn Looney-Triggs wrote:
>>> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote:
>>>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
>>>>> I have been digging around trying to find the answer to the above,
>>>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it
>>>>> still for RHEL 7? Or has systemd done some magic to remove that need?
>>>> AFAIK, all linux kernels from all distributions have the same need. What
>>>> that flag does is enable the audit system. When the audit system is
>>>> enabled
>>>> and every time there is a fork, the TIF_AUDIT flag is added to the
>>>> process.
>>>> This make the process auditable.
>>>>
>>>> Without this flag, the process cannot be audited...ever. So, if systemd
>>>> was
>>>> to do some magic (and it doesn't), then systemd itself would not be
>>>> auditable nor any process it creates until audit became enabled.
>>>>
>>>> -Steve
>>> Thanks Steve, I just wanted to check, I couldn't find anything explicitly
>>> mentioning this. I think I'll open a bug for the SCAP security guide about
>>> this.
>>>
>>> -Erinn
>>>
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit@redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit


[-- Attachment #1.2: Type: text/html, Size: 5953 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]