Auditd and Watches

All,

This is my first post to the list so…be gentle ;) Anyway, I'm trying to get some monitoring going where I plan on using auditd to monitor changes to files I deem important. Currently I have a watch on one file (called important_file), I've given a key so I can find events related to my one important file. Below is my watch:

[root@XXXX-22 ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test, filterkey=test-file, perms=wa, valid=0

I've got no rules in my audit.rules (except -D and the -b 256 default).

My question is this (about time eh?) even though the only rule I have in my rules is a single watch on a file, I'm getting all sorts of other events in my /var/log/audit/audit.log. A lot of it are don't care items at this phase and would only aid in growing my log files. Is there something I'm missing that can turn off the additional chatter in the logs? Below are some examples:

type=USER_ACCT msg=audit(05/24/2007 08:44:27.341:8311) : user pid=5633 uid=root auid=unknown(4294967295) msg='PAM accounting: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)'

----
type=LOGIN msg=audit(05/24/2007 08:44:27.368:8312) : login pid=5640 uid=root old auid=unknown(4294967295) new auid=scrubbeduserid

----
type=USER_START msg=audit(05/24/2007 08:44:27.370:8313) : user pid=5640 uid=root auid=scrubbeduserid msg='PAM session open: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)'

----
type=CRED_REFR msg=audit(05/24/2007 08:44:27.373:8314) : user pid=5640 uid=root auid=scrubbeduserid msg='PAM setcred: user=scrubbeduserid exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh result=Success)'

----
type=USER_LOGIN msg=audit(05/24/2007 08:44:27.382:8315) : user pid=5633 uid=root auid=unknown(4294967295) msg='uid=7532: exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=/dev/pts/1 res=success)'

----
type=USER_AUTH msg=audit(05/24/2007 08:44:37.379:8316) : user pid=5698 uid=scrubbeduserid auid=scrubbeduserid msg='PAM authentication: user=scrubbeduserid exe="/usr/local/bin/priv-escalator" (hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186, terminal=/dev/pts/1 result=Success)'

----
type=USER_ACCT msg=audit(05/24/2007 08:44:37.384:8317) : user pid=5698 uid=scrubbeduserid auid=scrubbeduserid msg='PAM accounting: user=scrubbeduserid exe="/usr/local/bin/priv-escalator" (hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186, terminal=/dev/pts/1 result=Success)'

----
type=USER_AUTH msg=audit(05/24/2007 08:44:41.884:8318) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM authentication: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'

----
type=USER_ACCT msg=audit(05/24/2007 08:44:41.889:8319) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM accounting: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'

----
type=USER_START msg=audit(05/24/2007 08:44:41.890:8320) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM session open: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'

----
type=CRED_ACQ msg=audit(05/24/2007 08:44:41.890:8321) : user pid=5728 uid=root auid=unknown(4294967295) msg='PAM setcred: user=root exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'

Basically I'm trying to chunk the logs down so my host based ids can snag the events and alert accordingly. I'm pretty new to linux auditd and I'm coming from the Solaris BSM Audit school of thought. Steve if you're reading this, thanks for your time and effort keeping linux auditd going.

-Felix