Discussion:
audit events w/o audit rules?
(too old to reply)
Todd Heberlein
2018-03-12 18:16:28 UTC
Permalink
Raw Message
I am using a Linux system (RHEL 6.9) with no audit rules set:

$ sudo auditctl -l
No rules

but some data is still populating the audit log file

/var/log/audit/audit.log

Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?

Thanks,

Todd
Todd Heberlein
2018-03-12 18:55:32 UTC
Permalink
Raw Message
Following the poor practice of replying to my own email :(

Apparently most of the data in audit.log is associated with PAM auditing.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit

todd
Post by Todd Heberlein
$ sudo auditctl -l
No rules
but some data is still populating the audit log file
/var/log/audit/audit.log
Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?
Thanks,
Todd
--
Linux-audit mailing list
https://www.redhat.com/mailman/listinfo/linux-audit
Steve Grubb
2018-03-12 21:30:44 UTC
Permalink
Raw Message
On Mon, 12 Mar 2018 11:55:32 -0700
Post by Todd Heberlein
Following the poor practice of replying to my own email :(
Apparently most of the data in audit.log is associated with PAM auditing.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
tps://www.redhat.com/mailman/listinfo/linux-audit

There are hardwired events (events that show up no matter what the
rules say) that come from things that are required. For example: logins,
logouts, adding a user, deleting a user, changing a password, etc. These
are usually documented in our STIG rules saying this requirement is met
due to hardwired events.

-Steve
Richard Guy Briggs
2018-03-13 04:30:00 UTC
Permalink
Raw Message
Post by Steve Grubb
On Mon, 12 Mar 2018 11:55:32 -0700
Post by Todd Heberlein
Following the poor practice of replying to my own email :(
Apparently most of the data in audit.log is associated with PAM auditing.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
tps://www.redhat.com/mailman/listinfo/linux-audit
There are hardwired events (events that show up no matter what the
rules say) that come from things that are required. For example: logins,
logouts, adding a user, deleting a user, changing a password, etc. These
are usually documented in our STIG rules saying this requirement is met
due to hardwired events.
To add to what Steve said, if you are really certain you don't want to
see certain types of events/records, you can create exclude rules to
drop them. Some of the events are kernel-generated and some are
user-generated.
Post by Steve Grubb
-Steve
- RGB

--
Richard Guy Briggs <***@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Loading...