Is audit=1 still required for RHEL 7?
Steve Grubb
sgrubb at redhat.com
Tue Jan 6 19:13:27 UTC 2015
On Tuesday, January 06, 2015 11:54:37 AM Erinn Looney-Triggs wrote:
> I have been digging around trying to find the answer to the above, hopefully
> I didn't miss something obvious. It was for RHEL < 7 is it still for RHEL
> 7? Or has systemd done some magic to remove that need?
AFAIK, all linux kernels from all distributions have the same need. What that
flag does is enable the audit system. When the audit system is enabled and
every time there is a fork, the TIF_AUDIT flag is added to the process. This
make the process auditable.
Without this flag, the process cannot be audited...ever. So, if systemd was to
do some magic (and it doesn't), then systemd itself would not be auditable nor
any process it creates until audit became enabled.
-Steve
More information about the Linux-audit
mailing list