7021457: Enable auditing of processes that start prior to auditd

This document (7021457) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)

SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)

Situation

Once the audit daemon is running, it ensures auditing is enabled on all processes that get launched after startup of auditd and are capable of auditing. The “auditible” flag, which is present for all processes, indicates whether or not the events of the process is capable of auditing.

However, the processes launched prior to the audit process will not have auditing enabled when they are spawned.

Resolution

Booting with “audit=1” on the kernel command-line will make sure auditing is enabled on all auditible processes.

The change can be implemented the following way :

  • Open the file /etc/default/grub
  • Append “audit=1” to the space-separated list of options specified in the GRUB_CMDLINE_LINUX_DEFAULT variable.
  • Save the file
  • Update the GRUB2 boot loader configuration in /boot/grub2/grub.cfg by executing
    # grub2-mkconfig -o /boot/grub2/grub.cfg
  • Reboot the system
  • Verify that the setting is present in the /proc/cmdline file

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

Leave a Reply