6

I installed auditd and audispd-plugins on my Debian Jessie machine and didn't touch any configuration. I see events being written to /var/log/audit/audit.log, for example:

type=LOGIN msg=audit(1462384141.770:838): pid=3662 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=21 res=1
type=USER_START msg=audit(1462384141.770:839): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1462384141.778:840): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1462384141.778:841): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1462384201.780:842): pid=3761 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1462384201.780:843): pid=3761 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1462384201.780:844): pid=3761 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=22 res=1
type=USER_START msg=audit(1462384201.780:845): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1462384201.796:846): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1462384201.800:847): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

But I'm not sure why I'm seeing anything in the log in the first place, because I have no rules defined:

$ auditctl -l
No rules

I can't find any rules in /etc/audit/audit.rules or /etc/audit/rules.d except for the defaults:

-D
-b 320

Obviously I'm missing something. What is getting logged by default?

PersianGulf
  • 596
  • 6
  • 21
2rs2ts
  • 325
  • 3
  • 11

2 Answers2

7

These events are coming from other capability (pam, openssh, etc) that send audit events to the auditing service. If you don't want any events, add audit=0 to the kernel command line args.

If you want to know what capability that may want to use the auditing service try something like

[burn@fc24 ~]$ rpm -q --whatrequires audit-libs
libsemanage-2.5-2.fc24.x86_64
shadow-utils-4.2.1-8.fc24.x86_64
pam-1.2.1-5.fc24.x86_64
util-linux-2.28-3.fc24.x86_64
openssh-7.2p2-9.fc24.x86_64
passwd-0.79-8.fc24.x86_64
gdm-3.20.1-3.fc24.x86_64
pam-1.2.1-5.fc24.i686
[burn@fc24 ~]$
BurnA
  • 401
  • 3
  • 6
4

By default, auditd logs security-related commands. This is not something that can be seen in the config files, it happens by default when auditd is running. You can get a summary of what commands have been logged on your system recently using:

sudo aureport -x --summary

I have been unable to find a list of all the commands that are logged by default. My CentOS 7 system logs these by default (not an exhaustive list, just what's shown in the logs):

/usr/sbin/crond
/usr/libexec/dovecot/auth
/usr/sbin/sshd
/usr/bin/sudo
/usr/sbin/xtables-multi
/usr/lib/systemd/systemd
/usr/bin/passwd

It also logs log-ins, log-outs and SELinux-related messages.

Two articles that were used for reference:

  • Is it possible to suppress some of these? I'm tracking an actual issue, but one remote monitoring plugin uses an ssh connection every few minutes that clutters up the logs something fierce. – Shadur Apr 05 '17 at 11:09
  • The best thing to look at is probably the remote monitoring plugin, see if you can stop it from logging. Or filter the logs to get only what you want. –  Apr 05 '17 at 16:29