auditd - I have no rules set, still there is activity in audit.log

relikwie · 11-22-2016, 05:07 AM

Hi, I am trying to audit file deletions in a folder, and have set the rule accordignly, but saw a lot of entries being logged of types: USER_ACCTR, CRED_ACQ and USER_AUTH.

I have no idea were these come from, even starting auditd without any rules active, these entries are being logged.

Does anyone have an idea?

thanks much.

unSpawn · 11-22-2016, 05:48 PM

Quote:

Originally Posted by relikwie

I have no idea were these come from, even starting auditd without any rules active, these entries are being logged.

That's because USER_.* and CRED_.* are not related to syscalls or audit itself to generated by user land processes like login?

relikwie · 11-23-2016, 04:45 AM

Hi unSpawn, I get what you say. I am on RHEL server, so this means the package "audit" is an addition that adds more audting options.
The issue for me is, that these USER* and CRED* lines are clogging up audit.log. Guess there is no way around it?