On Thursday, November 19, 2020 9:04:24 AM EST Andreas Hasenack wrote:
I read in an old presentation (~2011) that these come from
"trusted
apps",
There are only 10 - 15 apps that are "trusted apps". They are logging events
that are required by various security standards such as common criteria, DISA
STIG, PCI DSS, etc.
and in fact any process with cap_audit_write (iirc) can log
such events.
While that may be true, it is generally not the case that they do in fact
log.
The tip was that exclude/never list/action could be used to reduce
this
noise, is that still the case and recommended approach?
If you must, sure. Trusted app events are in the 1100-1199 range. But which
app is causing the problems that you see? In the past, we had to silence
crond because it was noisy.
Or is there a way to use audit with only the rules defined in
/etc/audit/
rules.d?
The rules in that dir are insufficient to fulfill regulatory requirements. If
you are doing some kind of syscall experiment, then I can see that you might
want to turn them off. But if your aim is meeting some kind of standard, then
other events are required.
-Steve