The audit.log file still contains messages even though no audit rules have been added.
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
Issue
- Even though the audit.rules file include the "-D" option by default, some messages are still seen in the audit.log file.
- How to disable the default messages logged in audit.log file?
Resolution
-
The recommended approach is to associate "keys" (using -k) to the custom rules you have set and then use this key with "ausearch" and "aureport" to get the audit logs for those specific rules.
-
Or, the filters can be disabled and the custom rule can be added as an exclusion :
-a task,never -a entry,never -a exit,never -a user,never -a exclude,never -F msgtype=avc
Diagnostics
-
Check the manpage for the different filters available to use in auditctl :
-a list,action
Append rule to the end of list with action. Please note the
comma separating the two values. Omitting it will cause errors.
The following describes the valid list names:task Add a rule to the per task list. This rule list is
used only at the time a task is created -- when
fork() or clone() are called by the parent task.
When using this list, you should only use fields
that are known at task creation time, such as the
uid, gid, etc.entry Add a rule to the syscall entry list. This list is
used upon entry to a system call to determine if an
audit event should be created.exit Add a rule to the syscall exit list. This list is
used upon exit from a system call to determine if an
audit event should be created.user Add a rule to the user message filter list. This
list is used by the kernel to filter events origi-
nating in user space before relaying them to the
audit daemon. It should be noted that the only
fields that are valid are: uid, auid, gid, and pid.
All other fields will be treated as non-matching.exclude Add a rule to the event type exclusion filter list.
This list is used to filter events that you do not
want to see. For example, if you do not want to see
any avc messages, you would using this list to
record that. The message type that you do not wish
to see is given with the msgtype field.The following describes the valid actions for the rule:
never No audit records will be generated. This can be used
to suppress event generation. In general, you want
suppressions at the top of the list instead of the
bottom. This is because the event triggers on the
first matching rule.always Allocate an audit context, always fill it in at
syscall entry time, and always write out a record at
syscall exit time.
Root Cause
Those login/out, user authentication audit log come from PAM, and it's hard coded.
When there is login/out, user authentication event, PAM will send the messages to auditd and auditd will write the logs to /var/log/audit.log.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments