On Mon, 12 Mar 2018 11:55:32 -0700 Todd Heberlein <todd_heberl...@mac.com> wrote:
> Following the poor practice of replying to my own email :( > > Apparently most of the data in audit.log is associated with PAM > auditing. > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit tps://www.redhat.com/mailman/listinfo/linux-audit There are hardwired events (events that show up no matter what the rules say) that come from things that are required. For example: logins, logouts, adding a user, deleting a user, changing a password, etc. These are usually documented in our STIG rules saying this requirement is met due to hardwired events. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit