* audit events w/o audit rules?
@ 2018-03-12 18:16 Todd Heberlein
2018-03-12 18:55 ` Todd Heberlein
0 siblings, 1 reply; 4+ messages in thread
From: Todd Heberlein @ 2018-03-12 18:16 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 317 bytes --]
I am using a Linux system (RHEL 6.9) with no audit rules set:
$ sudo auditctl -l
No rules
but some data is still populating the audit log file
/var/log/audit/audit.log
Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?
Thanks,
Todd
[-- Attachment #1.2: Type: text/html, Size: 1155 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit events w/o audit rules?
2018-03-12 18:16 audit events w/o audit rules? Todd Heberlein
@ 2018-03-12 18:55 ` Todd Heberlein
2018-03-12 21:30 ` Steve Grubb
0 siblings, 1 reply; 4+ messages in thread
From: Todd Heberlein @ 2018-03-12 18:55 UTC (permalink / raw)
To: Linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 854 bytes --]
Following the poor practice of replying to my own email :(
Apparently most of the data in audit.log is associated with PAM auditing.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
todd
> On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberlein@mac.com> wrote:
>
> I am using a Linux system (RHEL 6.9) with no audit rules set:
>
> $ sudo auditctl -l
> No rules
>
> but some data is still populating the audit log file
>
> /var/log/audit/audit.log
>
> Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?
>
> Thanks,
>
> Todd
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
[-- Attachment #1.2: Type: text/html, Size: 2470 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit events w/o audit rules?
2018-03-12 18:55 ` Todd Heberlein
@ 2018-03-12 21:30 ` Steve Grubb
2018-03-13 4:30 ` Richard Guy Briggs
0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2018-03-12 21:30 UTC (permalink / raw)
To: Todd Heberlein; +Cc: Linux-audit
On Mon, 12 Mar 2018 11:55:32 -0700
Todd Heberlein <todd_heberlein@mac.com> wrote:
> Following the poor practice of replying to my own email :(
>
> Apparently most of the data in audit.log is associated with PAM
> auditing.
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
tps://www.redhat.com/mailman/listinfo/linux-audit
There are hardwired events (events that show up no matter what the
rules say) that come from things that are required. For example: logins,
logouts, adding a user, deleting a user, changing a password, etc. These
are usually documented in our STIG rules saying this requirement is met
due to hardwired events.
-Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: audit events w/o audit rules?
2018-03-12 21:30 ` Steve Grubb
@ 2018-03-13 4:30 ` Richard Guy Briggs
0 siblings, 0 replies; 4+ messages in thread
From: Richard Guy Briggs @ 2018-03-13 4:30 UTC (permalink / raw)
To: Steve Grubb; +Cc: Linux-audit
On 2018-03-12 22:30, Steve Grubb wrote:
> On Mon, 12 Mar 2018 11:55:32 -0700
> Todd Heberlein <todd_heberlein@mac.com> wrote:
>
> > Following the poor practice of replying to my own email :(
> >
> > Apparently most of the data in audit.log is associated with PAM
> > auditing.
> >
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
> tps://www.redhat.com/mailman/listinfo/linux-audit
>
> There are hardwired events (events that show up no matter what the
> rules say) that come from things that are required. For example: logins,
> logouts, adding a user, deleting a user, changing a password, etc. These
> are usually documented in our STIG rules saying this requirement is met
> due to hardwired events.
To add to what Steve said, if you are really certain you don't want to
see certain types of events/records, you can create exclude rules to
drop them. Some of the events are kernel-generated and some are
user-generated.
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-03-13 4:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-12 18:16 audit events w/o audit rules? Todd Heberlein
2018-03-12 18:55 ` Todd Heberlein
2018-03-12 21:30 ` Steve Grubb
2018-03-13 4:30 ` Richard Guy Briggs
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.