Discussion:
type=PROCTITLE events not being populated in /var/log/audit/audit.log
(too old to reply)
Joshua Ammons
2018-01-10 22:41:03 UTC
Permalink
Hello,

I wanted to check if anyone was aware of a setting on RedHat box for enabling the PROCTITLE event type for audit logs? Is there any difference between RedHat and CentOS? I have one box running RedHat 7.3 and another running CentOS 7.3, with auditd enabled on both with the same rules. However, only the RedHat box is populating the event type PROCTITLE - the CentOS box does not.

I would like to get the PROCTITLE event type working on my CentOS box as well, if possible, but I cannot find any documentation online about anyone else having this issue and how to resolve.

Thanks for your time.

Joshua Ammons Advanced SIEM Engineer, Cybersecurity
Global Business Services
Office 479.204.4472 | Mobile 479.595.2291
***@walmart.com

Walmart
805 Moberly Ln
Bentonville, AR 72716
Save money. Live better.

[cid:***@01D38A31.CCC17F20]<https://walmart.facebook.com/groups/435932993428953/?fref=nf>
Steve Grubb
2018-01-10 23:22:10 UTC
Permalink
Hello,
Post by Joshua Ammons
I wanted to check if anyone was aware of a setting on RedHat box for
enabling the PROCTITLE event type for audit logs?
Nope.
Post by Joshua Ammons
Is there any difference between RedHat and CentOS?
I have seen studies that show there are differences.
Post by Joshua Ammons
I have one box running RedHat 7.3 and another running CentOS 7.3, with
auditd enabled on both with the same rules. However, only the RedHat box is
populating the event type PROCTITLE - the CentOS box does not.
You might move that box to Centos 7.4. The proctitle records was a kernel
enhancement shipped in RHEL 7.4.

-Steve
Post by Joshua Ammons
I would like to get the PROCTITLE event type working on my CentOS box as
well, if possible, but I cannot find any documentation online about anyone
else having this issue and how to resolve.
Thanks for your time.
Joshua Ammons Advanced SIEM Engineer, Cybersecurity
Global Business Services
Loading...