* How to confirm AUDITD is immutable
@ 2020-10-14 18:30 warron.french
2020-10-14 18:44 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: warron.french @ 2020-10-14 18:30 UTC (permalink / raw)
To: Linux Audit
[-- Attachment #1.1: Type: text/plain, Size: 549 bytes --]
Hello, I just wanted to confirm for my memory that if I wanted to confirm
that the auditd process running on my system was configured correctly and
intended to be
*immutable (*setting *-e 2*) I would do so easily by executing:
*auditctl -s*
When I execute that command I get back in the results that have:
*enabled 1*
*loginuid_immutable 0 unlocked*
*among a few other lines.*
Shouldn't I actually see *enabled 2*?
I have in one of our .rules files under /etc/audit/rules.d/ the syntax
"-e 2".
Thanks,
--------------------------
Warron French
[-- Attachment #1.2: Type: text/html, Size: 1061 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: How to confirm AUDITD is immutable
2020-10-14 18:30 How to confirm AUDITD is immutable warron.french
@ 2020-10-14 18:44 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2020-10-14 18:44 UTC (permalink / raw)
To: Linux Audit
On Wednesday, October 14, 2020 2:30:48 PM EDT warron.french wrote:
> Hello, I just wanted to confirm for my memory that if I wanted to confirm
> that the auditd process running on my system was configured correctly and
> intended to be
> *immutable (*setting *-e 2*) I would do so easily by executing:
>
> *auditctl -s*
>
> When I execute that command I get back in the results that have:
> *enabled 1*
> *loginuid_immutable 0 unlocked*
> *among a few other lines.*
>
> Shouldn't I actually see *enabled 2*?
That's what I get.
# auditctl -s
enabled 2
> I have in one of our .rules files under /etc/audit/rules.d/ the syntax
> "-e 2".
I'd copy 99-finalize.rules to rules.d and uncomment the only rule in the file.
It has to be last. Although I have no idea why what you have isn't working
unless its not getting picked up by augenrules.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-14 18:45 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-14 18:30 How to confirm AUDITD is immutable warron.french
2020-10-14 18:44 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).