How to filter out events to only record AVCs with auditd

Solution Verified - Updated -

Issue

  • After the boot of the system, there are some audit logs even if no rule is configured:

    • ex: users authentication (configured by PAM), crond, session opened, hostname, failed syscall ...:
    time->Thu Feb 28 10:50:01 2019
    type=LOGIN msg=audit(1551369001.184:158): pid=4409 uid=0 ubj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2 res=1
     ----
    time->Thu Feb 28 10:50:01 2019
    type=USER_START msg=audit(1551369001.207:159): pid=4409 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
     ----
    
  • There is no rule defined that generates these messages:

    # auditctl -l
    No rules
    
  • They are configured by different tools (PAM, cron, systemd, sshd ...) and we can't remove them.

Environment

  • Red Hat Enterprise Linux 6,7
  • auditd
  • AVC

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content