I am using a Linux system (RHEL 6.9) with no audit rules set:

$ sudo auditctl -l
No rules

but some data is still populating the audit log file

/var/log/audit/audit.log

Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?

Thanks,

Todd