audit events w/o audit rules?
Richard Guy Briggs
rgb at redhat.com
Tue Mar 13 04:30:00 UTC 2018
On 2018-03-12 22:30, Steve Grubb wrote:
> On Mon, 12 Mar 2018 11:55:32 -0700
> Todd Heberlein <todd_heberlein at mac.com> wrote:
>
> > Following the poor practice of replying to my own email :(
> >
> > Apparently most of the data in audit.log is associated with PAM
> > auditing.
> >
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
> tps://www.redhat.com/mailman/listinfo/linux-audit
>
> There are hardwired events (events that show up no matter what the
> rules say) that come from things that are required. For example: logins,
> logouts, adding a user, deleting a user, changing a password, etc. These
> are usually documented in our STIG rules saying this requirement is met
> due to hardwired events.
To add to what Steve said, if you are really certain you don't want to
see certain types of events/records, you can create exclude rules to
drop them. Some of the events are kernel-generated and some are
user-generated.
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list