How to filter out events to only record AVCs with auditd

Solution Verified - Updated -

Issue

  • After the boot of the system, there are some audit logs even if no rule is configured:

    • ex: users authentication (configured by PAM), crond, session opened, hostname, failed syscall ...:
    time->Thu Feb 28 10:50:01 2019
    type=LOGIN msg=audit(1551369001.184:158): pid=4409 uid=0 ubj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 tty=(none) old-ses=4294967295 ses=2 res=1
     ----
    time->Thu Feb 28 10:50:01 2019
    type=USER_START msg=audit(1551369001.207:159): pid=4409 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
     ----
    
  • There is no rule defined that generates these messages:

    # auditctl -l
    No rules
    
  • They are configured by different tools (PAM, cron, systemd, sshd ...) and we can't remove them.

Environment

  • Red Hat Enterprise Linux 6,7
  • auditd
  • AVC

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In