How to collect only AVC (Access Vector Cache) with auditd
Issue
- After the boot of the system, there are some of audit logs even if no rule is configured:
- ex: users authentication (configured by PAM), crond, session opened, hostname, failed syscall ...:
time->Thu Feb 28 10:50:01 2019
type=LOGIN msg=audit(1551369001.184:158): pid=4409 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2 res=1
time->Thu Feb 28 10:50:01 2019
type=USER_START msg=audit(1551369001.207:159): pid=4409 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
----
- There is no rule defined that generates these messages:
# auditctl -l
No rules
- They are configured by different tools (PAM, cron, systemd, sshd ...) and we can't remove them.
Environment
- RHEL 6,7
- auditd
- AVC
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.