subject:"Re\: audit events w\/o audit rules\?"

Re: audit events w/o audit rules?

2018-03-12 Thread Richard Guy Briggs

On 2018-03-12 22:30, Steve Grubb wrote:
> On Mon, 12 Mar 2018 11:55:32 -0700
> Todd Heberlein  wrote:
> 
> > Following the poor practice of replying to my own email :(
> > 
> > Apparently most of the data in audit.log is associated with PAM
> > auditing.
> > 
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
> tps://www.redhat.com/mailman/listinfo/linux-audit  
> 
> There are hardwired events (events that show up no matter what the
> rules say) that come from things that are required. For example: logins,
> logouts, adding a user, deleting a user, changing a password, etc. These
> are usually documented in our STIG rules saying this requirement is met
> due to hardwired events.

To add to what Steve said, if you are really certain you don't want to
see certain types of events/records, you can create exclude rules to
drop them.  Some of the events are kernel-generated and some are
user-generated.

> -Steve

- RGB

--
Richard Guy Briggs 
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: audit events w/o audit rules?

2018-03-12 Thread Steve Grubb

On Mon, 12 Mar 2018 11:55:32 -0700
Todd Heberlein  wrote:

> Following the poor practice of replying to my own email :(
> 
> Apparently most of the data in audit.log is associated with PAM
> auditing.
> 
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
tps://www.redhat.com/mailman/listinfo/linux-audit  

There are hardwired events (events that show up no matter what the
rules say) that come from things that are required. For example: logins,
logouts, adding a user, deleting a user, changing a password, etc. These
are usually documented in our STIG rules saying this requirement is met
due to hardwired events.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: audit events w/o audit rules?

2018-03-12 Thread Todd Heberlein

Following the poor practice of replying to my own email :(

Apparently most of the data in audit.log is associated with PAM auditing.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit

todd

> On Mar 12, 2018, at 11:16 AM, Todd Heberlein  wrote:
> 
> I am using a Linux system (RHEL 6.9) with no audit rules set:
> 
> $ sudo auditctl -l
> No rules
> 
> but some data is still populating the audit log file
> 
> /var/log/audit/audit.log
> 
> Are there processes (or kernel code) that generate their own audit events 
> that bypass the configured audit rules?
> 
> Thanks,
> 
> Todd
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: audit events w/o audit rules?

Re: audit events w/o audit rules?

Re: audit events w/o audit rules?

3 matches

Site Navigation

Mail list logo

Footer information