On 08-01-2015 15:03, Steve Grubb wrote: > On Thursday, January 08, 2015 12:12:14 PM Burak Gürer wrote: >> Hi everyone! >> >> first of all sorry for my bad english! >> >> i could not accomplish to get rid of from auid=4294967295 issue >> >> i have implemented that suggestions: >> >> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html >> https://people.redhat.com/sgrubb/audit/audit-faq.txt >> >> but not succeed. >> is there any other reasons or solutions? > There is a chance that --with-audit or --enable-audit was not used in the > configuration of the utilities. I can't say for certain without knowing more > about your distribution. distrubution is: [root@test /root]# lsb_release -a LSB Version: :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics-3.1-ia32:graphics-3.1-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 5.2 (Tikanga) Release: 5.2 Codename: Tikanga >> by the way suggestions in the links, is it important to where we put the >> suggested confs: >> >> e.g. which line to put "audit=1" > That is a kernel boot parameter. is this correct?: # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this file # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=/dev/sda2 # initrd /initrd-version.img #boot=/dev/sda default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux Server (2.6.18-92.el5) root (hd0,0) kernel /vmlinuz-2.6.18-92.el5 ro root=LABEL=/ *audit=1* rhgb quiet initrd /initrd-2.6.18-92.el5.img >> or which line to put "session required pam_loginuid.so" > This would go into the pam configuration of system entry points. For example, > it would be in /etc/pam.d/login. But it would NOT go into /etc/pam.d/system- > auth or /etc/pam.d/su. This should already be configured by your distribution > and you shouldn't need to adjust it. > >> and further are kernel or audit package versions important? > Yes. But not to the two questions you ask above. More important is whether or > not auditing is enabled in the packages by your distribution. The audit > facilities from your question has been available almost 10 years. So, I wonder > if auditing is enabled. so how can i check if auditing is enabled? > > -Steve > >> If anyone can help with this it will be very helpful. >> >> Regards, >> >> On 06-01-2015 21:16, Erinn Looney-Triggs wrote: >>> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote: >>>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote: >>>>> I have been digging around trying to find the answer to the above, >>>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is it >>>>> still for RHEL 7? Or has systemd done some magic to remove that need? >>>> AFAIK, all linux kernels from all distributions have the same need. What >>>> that flag does is enable the audit system. When the audit system is >>>> enabled >>>> and every time there is a fork, the TIF_AUDIT flag is added to the >>>> process. >>>> This make the process auditable. >>>> >>>> Without this flag, the process cannot be audited...ever. So, if systemd >>>> was >>>> to do some magic (and it doesn't), then systemd itself would not be >>>> auditable nor any process it creates until audit became enabled. >>>> >>>> -Steve >>> Thanks Steve, I just wanted to check, I couldn't find anything explicitly >>> mentioning this. I think I'll open a bug for the SCAP security guide about >>> this. >>> >>> -Erinn >>> >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://www.redhat.com/mailman/listinfo/linux-audit