On 2018-03-12 22:30, Steve Grubb wrote: > On Mon, 12 Mar 2018 11:55:32 -0700 > Todd Heberlein <todd_heberl...@mac.com> wrote: > > > Following the poor practice of replying to my own email :( > > > > Apparently most of the data in audit.log is associated with PAM > > auditing. > > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing#sec-configuring_pam_tty_audit > tps://www.redhat.com/mailman/listinfo/linux-audit > > There are hardwired events (events that show up no matter what the > rules say) that come from things that are required. For example: logins, > logouts, adding a user, deleting a user, changing a password, etc. These > are usually documented in our STIG rules saying this requirement is met > due to hardwired events.
To add to what Steve said, if you are really certain you don't want to see certain types of events/records, you can create exclude rules to drop them. Some of the events are kernel-generated and some are user-generated. > -Steve - RGB -- Richard Guy Briggs <r...@redhat.com> Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit