Kernel / Boot auditing in RHEL 7?
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
In RHEL5 and RHEL6, I could add audit=1 to start kernel-level auditing during boot before the boot process got as far as starting auditd. Now, in RHEL7, I can't find any mention of audit=1 as a kernel argument.
Has anyone seen a definitive document on kernel/system auditing at boot time? Is just having the audit RPM installed and systemctl enable auditd sufficient on reboot?
rhel linux-audit
asked Feb 1 at 19:20
dafydd
6302820
add a comment |Â
up vote
2
down vote
favorite
In RHEL5 and RHEL6, I could add audit=1 to start kernel-level auditing during boot before the boot process got as far as starting auditd. Now, in RHEL7, I can't find any mention of audit=1 as a kernel argument.
Has anyone seen a definitive document on kernel/system auditing at boot time? Is just having the audit RPM installed and systemctl enable auditd sufficient on reboot?
rhel linux-audit
asked Feb 1 at 19:20
dafydd
6302820
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
In RHEL5 and RHEL6, I could add audit=1 to start kernel-level auditing during boot before the boot process got as far as starting auditd. Now, in RHEL7, I can't find any mention of audit=1 as a kernel argument.
Has anyone seen a definitive document on kernel/system auditing at boot time? Is just having the audit RPM installed and systemctl enable auditd sufficient on reboot?
rhel linux-audit
asked Feb 1 at 19:20
dafydd
6302820
In RHEL5 and RHEL6, I could add audit=1 to start kernel-level auditing during boot before the boot process got as far as starting auditd. Now, in RHEL7, I can't find any mention of audit=1 as a kernel argument.
Has anyone seen a definitive document on kernel/system auditing at boot time? Is just having the audit RPM installed and systemctl enable auditd sufficient on reboot?
rhel linux-audit
asked Feb 1 at 19:20
dafydd
6302820
asked Feb 1 at 19:20
dafydd
6302820
asked Feb 1 at 19:20
dafydd
6302820
asked Feb 1 at 19:20
dafydd
6302820
6302820
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
The RHEL 7.x documentation on auditing doesn't mention the kernel parameter at all (somehow I thought the RHEL 6.x documentation did mention it but I can't seem to find it now).
The manual page for auditd (package audit-2.7.6-3.el7.x86_64) on a RHEL 7.4 system, however, has the following:
A boot param of
audit=1should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
So, although it's not mentioned in the distribution documentation, you do still need the audit=1 kernel parameter.
answered Feb 2 at 8:42
mjturner
3,8681224
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
The RHEL 7.x documentation on auditing doesn't mention the kernel parameter at all (somehow I thought the RHEL 6.x documentation did mention it but I can't seem to find it now).
The manual page for auditd (package audit-2.7.6-3.el7.x86_64) on a RHEL 7.4 system, however, has the following:
A boot param of
audit=1should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
So, although it's not mentioned in the distribution documentation, you do still need the audit=1 kernel parameter.
answered Feb 2 at 8:42
mjturner
3,8681224
add a comment |Â
up vote
1
down vote
accepted
The RHEL 7.x documentation on auditing doesn't mention the kernel parameter at all (somehow I thought the RHEL 6.x documentation did mention it but I can't seem to find it now).
The manual page for auditd (package audit-2.7.6-3.el7.x86_64) on a RHEL 7.4 system, however, has the following:
A boot param of
audit=1should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
So, although it's not mentioned in the distribution documentation, you do still need the audit=1 kernel parameter.
answered Feb 2 at 8:42
mjturner
3,8681224
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
The RHEL 7.x documentation on auditing doesn't mention the kernel parameter at all (somehow I thought the RHEL 6.x documentation did mention it but I can't seem to find it now).
The manual page for auditd (package audit-2.7.6-3.el7.x86_64) on a RHEL 7.4 system, however, has the following:
A boot param of
audit=1should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
So, although it's not mentioned in the distribution documentation, you do still need the audit=1 kernel parameter.
answered Feb 2 at 8:42
mjturner
3,8681224
The RHEL 7.x documentation on auditing doesn't mention the kernel parameter at all (somehow I thought the RHEL 6.x documentation did mention it but I can't seem to find it now).
The manual page for auditd (package audit-2.7.6-3.el7.x86_64) on a RHEL 7.4 system, however, has the following:
A boot param of
audit=1should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit.
So, although it's not mentioned in the distribution documentation, you do still need the audit=1 kernel parameter.
answered Feb 2 at 8:42
mjturner
3,8681224
answered Feb 2 at 8:42
mjturner
3,8681224
answered Feb 2 at 8:42
mjturner
3,8681224
answered Feb 2 at 8:42
mjturner
3,8681224
3,8681224
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f421273%2fkernel-boot-auditing-in-rhel-7%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
