Re: audit events w/o audit rules?
On 2018-03-12 22:30, Steve Grubb wrote: > On Mon, 12 Mar 2018 11:55:32 -0700 > Todd Heberleinwrote: > > > Following the poor practice of replying to my own email :( > > > > Apparently most of the data in audit.log is associated with PAM > > auditing. > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit > tps://www.redhat.com/mailman/listinfo/linux-audit > > There are hardwired events (events that show up no matter what the > rules say) that come from things that are required. For example: logins, > logouts, adding a user, deleting a user, changing a password, etc. These > are usually documented in our STIG rules saying this requirement is met > due to hardwired events. To add to what Steve said, if you are really certain you don't want to see certain types of events/records, you can create exclude rules to drop them. Some of the events are kernel-generated and some are user-generated. > -Steve - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit events w/o audit rules?
On Mon, 12 Mar 2018 11:55:32 -0700 Todd Heberleinwrote: > Following the poor practice of replying to my own email :( > > Apparently most of the data in audit.log is associated with PAM > auditing. > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit tps://www.redhat.com/mailman/listinfo/linux-audit There are hardwired events (events that show up no matter what the rules say) that come from things that are required. For example: logins, logouts, adding a user, deleting a user, changing a password, etc. These are usually documented in our STIG rules saying this requirement is met due to hardwired events. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit events w/o audit rules?
Following the poor practice of replying to my own email :( Apparently most of the data in audit.log is associated with PAM auditing. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit todd > On Mar 12, 2018, at 11:16 AM, Todd Heberleinwrote: > > I am using a Linux system (RHEL 6.9) with no audit rules set: > > $ sudo auditctl -l > No rules > > but some data is still populating the audit log file > > /var/log/audit/audit.log > > Are there processes (or kernel code) that generate their own audit events > that bypass the configured audit rules? > > Thanks, > > Todd > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit