audit events w/o audit rules?
Steve Grubb
sgrubb at redhat.com
Mon Mar 12 21:30:44 UTC 2018
On Mon, 12 Mar 2018 11:55:32 -0700
Todd Heberlein <todd_heberlein at mac.com> wrote:
> Following the poor practice of replying to my own email :(
>
> Apparently most of the data in audit.log is associated with PAM
> auditing.
>
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit
tps://www.redhat.com/mailman/listinfo/linux-audit
There are hardwired events (events that show up no matter what the
rules say) that come from things that are required. For example: logins,
logouts, adding a user, deleting a user, changing a password, etc. These
are usually documented in our STIG rules saying this requirement is met
due to hardwired events.
-Steve
More information about the Linux-audit
mailing list