I am using a Linux system (RHEL 6.9) with no audit rules set:
$ sudo auditctl -l
No rules
but some data is still populating the audit log file
/var/log/audit/audit.log
Are there processes (or kernel code) that generate their own audit events that
bypass the configured audit rules?
Thanks,
> On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberl...@mac.com> wrote:
>
> I am using a Linux system (RHEL 6.9) with no audit rules set:
>
> $ sudo auditctl -l
> No rules
>
> but some data is still populating the audit log file
>
> /var/log/audi
I’ve noticed that the httpd process on a CentOS 7.7 system I am working with is
running with an Audit ID of -1. Example ID values are:
auid=4294967295
uid=48
gid=48
...
So if use the standard filter "-F auid!=-1” in the audit rules I do not see
httpd activity.
AM, Steve Grubb wrote:
>
> On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
>> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
>> with is running with an Audit ID of -1. Example ID values are:
>>
>>auid=4294967295
Side note:
I found on some previous versions of CentOS 7 that if you audit a system call
that often comes before the exec() system call (e.g., auditing close() which is
called a number of times after a fork but before an exec), the PROCTITLE field
will be for the parent process and not the new