Home / server / Questions / 774862
In Process
2rs2ts
Asked: 2016-05-05 09:55:45 +0800 CST

What does auditd log by default (i.e. when no rules are defined?)

  • 772

I installed auditd and audispd-plugins on my Debian Jessie machine and didn't touch any configuration. I see events being written to /var/log/audit/audit.log, for example:

type=LOGIN msg=audit(1462384141.770:838): pid=3662 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=21 res=1
type=USER_START msg=audit(1462384141.770:839): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1462384141.778:840): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1462384141.778:841): pid=3662 uid=0 auid=0 ses=21 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1462384201.780:842): pid=3761 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1462384201.780:843): pid=3761 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1462384201.780:844): pid=3761 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=22 res=1
type=USER_START msg=audit(1462384201.780:845): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:session_open acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1462384201.796:846): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:setcred acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1462384201.800:847): pid=3761 uid=0 auid=0 ses=22 msg='op=PAM:session_close acct="root" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

But I'm not sure why I'm seeing anything in the log in the first place, because I have no rules defined:

$ auditctl -l
No rules

I can't find any rules in /etc/audit/audit.rules or /etc/audit/rules.d except for the defaults:

-D
-b 320

Obviously I'm missing something. What is getting logged by default?

debian security auditd debian-jessie

2 Answers

  1. These events are coming from other capability (pam, openssh, etc) that send audit events to the auditing service. If you don't want any events, add audit=0 to the kernel command line args.

    If you want to know what capability that may want to use the auditing service try something like

    [burn@fc24 ~]$ rpm -q --whatrequires audit-libs
libsemanage-2.5-2.fc24.x86_64
shadow-utils-4.2.1-8.fc24.x86_64
pam-1.2.1-5.fc24.x86_64
util-linux-2.28-3.fc24.x86_64
openssh-7.2p2-9.fc24.x86_64
passwd-0.79-8.fc24.x86_64
gdm-3.20.1-3.fc24.x86_64
pam-1.2.1-5.fc24.i686
[burn@fc24 ~]$
    • 7

  2. By default, auditd logs security-related commands. This is not something that can be seen in the config files, it happens by default when auditd is running. You can get a summary of what commands have been logged on your system recently using:

    sudo aureport -x --summary

    I have been unable to find a list of all the commands that are logged by default. My CentOS 7 system logs these by default (not an exhaustive list, just what's shown in the logs):

    /usr/sbin/crond
/usr/libexec/dovecot/auth
/usr/sbin/sshd
/usr/bin/sudo
/usr/sbin/xtables-multi
/usr/lib/systemd/systemd
/usr/bin/passwd

    It also logs log-ins, log-outs and SELinux-related messages.

    Two articles that were used for reference:

    • 4