audit events w/o audit rules?
Todd Heberlein
todd_heberlein at mac.com
Mon Mar 12 18:55:32 UTC 2018
Following the poor practice of replying to my own email :(
Apparently most of the data in audit.log is associated with PAM auditing.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
todd
> On Mar 12, 2018, at 11:16 AM, Todd Heberlein <todd_heberlein at mac.com> wrote:
>
> I am using a Linux system (RHEL 6.9) with no audit rules set:
>
> $ sudo auditctl -l
> No rules
>
> but some data is still populating the audit log file
>
> /var/log/audit/audit.log
>
> Are there processes (or kernel code) that generate their own audit events that bypass the configured audit rules?
>
> Thanks,
>
> Todd
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20180312/c7774ac8/attachment.htm>
More information about the Linux-audit
mailing list