From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?windows-1252?Q?Burak_G=FCrer?= Subject: Re: Is audit=1 still required for RHEL 7? Date: Thu, 08 Jan 2015 15:33:08 +0200 Message-ID: <54AE8714.1000904@msn.com> References: <1676603.MYLvDDvdka@scrapy.abaqis.com> <3347865.oePFyplibZ@scrapy.abaqis.com> <54AE57FE.3000508@msn.com> <1463074.0R9kLf2U71@x2> Reply-To: burak4burak@msn.com Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2892408884916509061==" Return-path: In-Reply-To: <1463074.0R9kLf2U71@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb , linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============2892408884916509061== Content-Type: multipart/alternative; boundary="------------060100070106030704070308" This is a multi-part message in MIME format. --------------060100070106030704070308 Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx5-phx2.redhat.com id t08DWmlJ018825 On 08-01-2015 15:03, Steve Grubb wrote: > On Thursday, January 08, 2015 12:12:14 PM Burak G=FCrer wrote: >> Hi everyone! >> >> first of all sorry for my bad english! >> >> i could not accomplish to get rid of from auid=3D4294967295 issue >> >> i have implemented that suggestions: >> >> https://www.redhat.com/archives/linux-audit/2010-June/msg00002.html >> https://people.redhat.com/sgrubb/audit/audit-faq.txt >> >> but not succeed. >> is there any other reasons or solutions? > There is a chance that --with-audit or --enable-audit was not used in t= he > configuration of the utilities. I can't say for certain without knowing= more > about your distribution. distrubution is: [root@test /root]# lsb_release -a LSB Version:=20 :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics= -3.1-ia32:graphics-3.1-noarch Distributor ID: RedHatEnterpriseServer Description: Red Hat Enterprise Linux Server release 5.2 (Tikanga) Release: 5.2 Codename: Tikanga >> by the way suggestions in the links, is it important to where we put t= he >> suggested confs: >> >> e.g. which line to put "audit=3D1" > That is a kernel boot parameter. is this correct?: # grub.conf generated by anaconda # # Note that you do not have to rerun grub after making changes to this fi= le # NOTICE: You have a /boot partition. This means that # all kernel and initrd paths are relative to /boot/, eg. # root (hd0,0) # kernel /vmlinuz-version ro root=3D/dev/sda2 # initrd /initrd-version.img #boot=3D/dev/sda default=3D0 timeout=3D5 splashimage=3D(hd0,0)/grub/splash.xpm.gz hiddenmenu title Red Hat Enterprise Linux Server (2.6.18-92.el5) root (hd0,0) kernel /vmlinuz-2.6.18-92.el5 ro root=3DLABEL=3D/ *audit=3D1* rhgb q= uiet initrd /initrd-2.6.18-92.el5.img >> or which line to put "session required pam_loginuid.so" > This would go into the pam configuration of system entry points. For ex= ample, > it would be in /etc/pam.d/login. But it would NOT go into /etc/pam.d/sy= stem- > auth or /etc/pam.d/su. This should already be configured by your distri= bution > and you shouldn't need to adjust it. > >> and further are kernel or audit package versions important? > Yes. But not to the two questions you ask above. More important is whet= her or > not auditing is enabled in the packages by your distribution. The audit > facilities from your question has been available almost 10 years. So, I= wonder > if auditing is enabled. so how can i check if auditing is enabled? > > -Steve > >> If anyone can help with this it will be very helpful. >> >> Regards, >> >> On 06-01-2015 21:16, Erinn Looney-Triggs wrote: >>> On Tuesday, January 06, 2015 02:13:27 PM Steve Grubb wrote: >>>> On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote: >>>>> I have been digging around trying to find the answer to the above, >>>>> hopefully I didn't miss something obvious. It was for RHEL < 7 is i= t >>>>> still for RHEL 7? Or has systemd done some magic to remove that nee= d? >>>> AFAIK, all linux kernels from all distributions have the same need. = What >>>> that flag does is enable the audit system. When the audit system is >>>> enabled >>>> and every time there is a fork, the TIF_AUDIT flag is added to the >>>> process. >>>> This make the process auditable. >>>> >>>> Without this flag, the process cannot be audited...ever. So, if syst= emd >>>> was >>>> to do some magic (and it doesn't), then systemd itself would not be >>>> auditable nor any process it creates until audit became enabled. >>>> >>>> -Steve >>> Thanks Steve, I just wanted to check, I couldn't find anything explic= itly >>> mentioning this. I think I'll open a bug for the SCAP security guide = about >>> this. >>> >>> -Erinn >>> >>> >>> -- >>> Linux-audit mailing list >>> Linux-audit@redhat.com >>> https://www.redhat.com/mailman/listinfo/linux-audit --------------060100070106030704070308 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by mx5-phx2.redhat.com id t08DWmlJ018825
On 08-01-2015 15:03, Steve Grubb wrote= :
On Thursday, January 08, 2015 12:12:14 PM Burak G=FC=
rer wrote:

Hi everyone!

first of all sorry for my bad english!

i could not accomplish to get rid of from auid=3D4294967295 issue

i have implemented that suggestions:

https://www.redhat.com/archives/li=
nux-audit/2010-June/msg00002.html
https://people.redhat.com/sgrubb/audit/audit-faq.=
txt

but not succeed.
is there any other reasons or solutions?

There is a chance that --with-audit or --enable-audit was not used in the=
=20
configuration of the utilities. I can't say for certain without knowing m=
ore=20
about your distribution.
distrubution is:

[root@test /root]# lsb_release -a
LSB Version:=A0=A0=A0 :core-3.1-amd64:core-3.1-ia32:core-3.1-noarch:graphics-3.1-amd64:graphics= -3.1-ia32:graphics-3.1-noarch
Distributor ID:=A0=A0=A0 RedHatEnterpriseServer
Description:=A0=A0=A0 Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Release:=A0=A0=A0 5.2
Codename:=A0=A0=A0 Tikanga
by the way suggestions in the links, is it importa=
nt to where we put the
suggested confs:

e.g. which line to put "audit=3D1"

That is a kernel boot parameter.
is this correct?:

# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making changes to this file
# NOTICE:=A0 You have a /boot partition.=A0 This means that
#=A0=A0=A0=A0=A0=A0=A0=A0=A0 all kernel and initrd paths are relative= to /boot/, eg.
#=A0=A0=A0=A0=A0=A0=A0=A0=A0 root (hd0,0)
#=A0=A0=A0=A0=A0=A0=A0=A0=A0 kernel /vmlinuz-version ro root=3D/dev/s= da2
#=A0=A0=A0=A0=A0=A0=A0=A0=A0 initrd /initrd-version.img
#boot=3D/dev/sda
default=3D0
timeout=3D5
splashimage=3D(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title Red Hat Enterprise Linux Server (2.6.18-92.el5)
=A0=A0=A0 root (hd0,0)
=A0=A0=A0 kernel /vmlinuz-2.6.18-92.el5 ro root=3DLABEL=3D/ audit=3D1 rhgb quiet
=A0=A0=A0 initrd /initrd-2.6.18-92.el5.img

      

        
or which line to put "session required pam_loginui=
d.so"


      

      
This would go into the pam configuration of system entry points. For exam=
ple,=20
it would be in /etc/pam.d/login. But it would NOT go into /etc/pam.d/syst=
em-
auth or /etc/pam.d/su. This should already be configured by your distribu=
tion=20
and you shouldn't need to adjust it.



      

        
and further are kernel or audit package versions i=
mportant?


      

      
Yes. But not to the two questions you ask above. More important is whethe=
r or=20
not auditing is enabled in the packages by your distribution. The audit=20
facilities from your question has been available almost 10 years. So, I w=
onder=20
if auditing is enabled.

    

    so how can i check if auditing is enabled?

    

      

-Steve



      

        
If anyone can help with this it will be very helpf=
ul.

Regards,

  On 06-01-2015 21:16, Erinn Looney-Triggs wrote:


        

          
On Tuesday, January 06, 2015 02:13:27 PM Steve G=
rubb wrote:


          

            
On Tuesday, January 06, 2015 11:54:37 AM Erinn=
 Looney-Triggs wrote:


            

              
I have been digging around trying to find th=
e answer to the above,
hopefully I didn't miss something obvious. It was for RHEL < 7 is it
still for RHEL 7? Or has systemd done some magic to remove that need?


            

            
AFAIK, all linux kernels from all distributions have the same need. What
that flag does is enable the audit system. When the audit system is
enabled
and every time there is a fork, the TIF_AUDIT flag is added to the
process.
This make the process auditable.

Without this flag, the process cannot be audited...ever. So, if systemd
was
to do some magic (and it doesn't), then systemd itself would not be
auditable nor any process it creates until audit became enabled.

-Steve


          

          
Thanks Steve, I just wanted to check, I couldn't find anything explicitly
mentioning this. I think I'll open a bug for the SCAP security guide abou=
t
this.

-Erinn


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audi=
t


        

      

      

    

    

  


--------------060100070106030704070308--


--===============2892408884916509061==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 7bit


--===============2892408884916509061==--