Default logging with no rules
Steve Grubb
sgrubb at redhat.com
Thu Nov 19 14:34:04 UTC 2020
On Thursday, November 19, 2020 9:04:24 AM EST Andreas Hasenack wrote:
> I read in an old presentation (~2011) that these come from "trusted
> apps",
There are only 10 - 15 apps that are "trusted apps". They are logging events
that are required by various security standards such as common criteria, DISA
STIG, PCI DSS, etc.
> and in fact any process with cap_audit_write (iirc) can log
> such events.
While that may be true, it is generally not the case that they do in fact
log.
> The tip was that exclude/never list/action could be used to reduce this
> noise, is that still the case and recommended approach?
If you must, sure. Trusted app events are in the 1100-1199 range. But which
app is causing the problems that you see? In the past, we had to silence
crond because it was noisy.
> Or is there a way to use audit with only the rules defined in /etc/audit/
> rules.d?
The rules in that dir are insufficient to fulfill regulatory requirements. If
you are doing some kind of syscall experiment, then I can see that you might
want to turn them off. But if your aim is meeting some kind of standard, then
other events are required.
-Steve
More information about the Linux-audit
mailing list