Following the poor practice of replying to my own email :(

Apparently most of the data in audit.log is associated with PAM auditing.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit

todd

> On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberl...@mac.com> wrote:
> 
> I am using a Linux system (RHEL 6.9) with no audit rules set:
> 
> $ sudo auditctl -l
> No rules
> 
> but some data is still populating the audit log file
> 
> /var/log/audit/audit.log
> 
> Are there processes (or kernel code) that generate their own audit events 
> that bypass the configured audit rules?
> 
> Thanks,
> 
> Todd
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to