Re: audit events w/o audit rules?

On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberlein(a)mac.com&gt; wrote: I am using a Linux system (RHEL 6.9) with no audit rules set: $ sudo auditctl -l No rules but some data is still populating the audit log file /var/log/audit/audit.log Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules? Thanks, Todd -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit