audit events w/o audit rules? - Linux-audit - Linux-Audit List Archives

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

audit events w/o audit rules?

[PATCH ghak21 V2 0/4] audit:...

[RFC PATCH ghak21 0/4] audit:...

Todd Heberlein

Monday, 12 March 2018 Mon, 12 Mar '18

1:16 p.m.

I am using a Linux system (RHEL 6.9) with no audit rules set: $ sudo auditctl -l No rules but some data is still populating the audit log file /var/log/audit/audit.log Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules? Thanks, Todd

Attachments:

attachment.html (text/html — 1.1 KB)

Reply

Show replies by date

Todd Heberlein

Monday, 12 March Mon, 12 Mar

1:55 p.m.

Following the poor practice of replying to my own email :( Apparently most of the data in audit.log is associated with PAM auditing. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/... todd

On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberlein(a)mac.com> wrote: I am using a Linux system (RHEL 6.9) with no audit rules set: $ sudo auditctl -l No rules but some data is still populating the audit log file /var/log/audit/audit.log Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules? Thanks, Todd -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit

Reply

Steve Grubb

4:30 p.m.

On Mon, 12 Mar 2018 11:55:32 -0700 Todd Heberlein <todd_heberlein(a)mac.com> wrote:

Following the poor practice of replying to my own email :( Apparently most of the data in audit.log is associated with PAM auditing. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/...

tps://www.redhat.com/mailman/listinfo/linux-audit There are hardwired events (events that show up no matter what the rules say) that come from things that are required. For example: logins, logouts, adding a user, deleting a user, changing a password, etc. These are usually documented in our STIG rules saying this requirement is met due to hardwired events. -Steve

Reply

Richard Guy Briggs

11:30 p.m.

On 2018-03-12 22:30, Steve Grubb wrote:

On Mon, 12 Mar 2018 11:55:32 -0700 Todd Heberlein <todd_heberlein(a)mac.com> wrote: > Following the poor practice of replying to my own email :( > > Apparently most of the data in audit.log is associated with PAM > auditing. > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/... tps://www.redhat.com/mailman/listinfo/linux-audit There are hardwired events (events that show up no matter what the rules say) that come from things that are required. For example: logins, logouts, adding a user, deleting a user, changing a password, etc. These are usually documented in our STIG rules saying this requirement is met due to hardwired events.

To add to what Steve said, if you are really certain you don't want to see certain types of events/records, you can create exclude rules to drop them. Some of the events are kernel-generated and some are user-generated.

-Steve

- RGB -- Richard Guy Briggs <rgb(a)redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635

Reply

2475

days inactive

2476

days old

linux-audit@lists.linux-audit.osci.io

Manage subscription

3 comments

3 participants

tags (0)

participants (3)

Richard Guy Briggs
Steve Grubb
Todd Heberlein