On Thursday, November 19, 2020 9:04:24 AM EST Andreas Hasenack wrote: > I read in an old presentation (~2011) that these come from "trusted > apps",
There are only 10 - 15 apps that are "trusted apps". They are logging events that are required by various security standards such as common criteria, DISA STIG, PCI DSS, etc. > and in fact any process with cap_audit_write (iirc) can log > such events. While that may be true, it is generally not the case that they do in fact log. > The tip was that exclude/never list/action could be used to reduce this > noise, is that still the case and recommended approach? If you must, sure. Trusted app events are in the 1100-1199 range. But which app is causing the problems that you see? In the past, we had to silence crond because it was noisy. > Or is there a way to use audit with only the rules defined in /etc/audit/ > rules.d? The rules in that dir are insufficient to fulfill regulatory requirements. If you are doing some kind of syscall experiment, then I can see that you might want to turn them off. But if your aim is meeting some kind of standard, then other events are required. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
