How to collect only AVC (Access Vector Cache) with auditd

Solution In Progress - Updated -

Issue

  • After the boot of the system, there are some of audit logs even if no rule is configured:
  • ex: users authentication (configured by PAM), crond, session opened, hostname, failed syscall ...:

time->Thu Feb 28 10:50:01 2019
type=LOGIN msg=audit(1551369001.184:158): pid=4409 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2 res=1

time->Thu Feb 28 10:50:01 2019
type=USER_START msg=audit(1551369001.207:159): pid=4409 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

----

  • There is no rule defined that generates these messages:
# auditctl -l
No rules
  • They are configured by different tools (PAM, cron, systemd, sshd ...) and we can't remove them.

Environment

  • RHEL 6,7
  • auditd
  • AVC

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content