When implementing CIS controls I came across a control to test whether 'an audit rule exists' that enables logging of successful and failed login attempts.
However, it seems that this event is logged in /var/log/audit.log (by auditd I assume) by default:
- Installed audit package
- no config changes to auditd.conf or audit rules
- no rules defined, the auditd.conf and rules are default
My questions are:
1. Is there any service that uses the audit deamon by default? Or what makes the audit service generating logdata without any rules defined (beside the -D, -e 1)
2. What is logged by default without any rules in /var/log/audit.log (I have seen logins, su and sudo)
3. How can I test if the CIS control is being met i.e. having an empty ruleset but seeing login information in audit.log (in my opinion I should test if auditd is running, and there is no 'audit=0' defined in grub.conf).
Any help is appreciated.
Kind regards.
auditd default config (no rules defined) but audit.log is filled with data
Support for security such as Firewalls and securing linux
-
- Posts: 1
- Joined: 2019/01/10 16:41:45
auditd default config (no rules defined) but audit.log is filled with data
Post by nachtwaker69 » 2019/01/10 17:00:59
Return to “CentOS 6 - Security Support”
Jump to
- CentOS General Purpose
- ↳ CentOS - FAQ & Readme First
- ↳ Announcements
- ↳ CentOS Social
- ↳ User Comments
- ↳ Website Problems
- CentOS 8
- ↳ CentOS 8 - General Support
- ↳ CentOS 8 - Hardware Support
- ↳ CentOS 8 - Networking Support
- ↳ CentOS 8 - Security Support
- CentOS 7
- ↳ CentOS 7 - General Support
- ↳ CentOS 7 - Software Support
- ↳ CentOS 7 - Hardware Support
- ↳ CentOS 7 - Networking Support
- ↳ CentOS 7 - Security Support
- CentOS 6
- ↳ CentOS 6 - General Support
- ↳ CentOS 6 - Software Support
- ↳ CentOS 6 - Hardware Support
- ↳ CentOS 6 - Networking Support
- ↳ CentOS 6 - Security Support
- CentOS Legacy Versions
- ↳ CentOS 4
- ↳ CentOS 4 - General Support
- ↳ CentOS 4 - Software Support
- ↳ CentOS 4 - Hardware Support
- ↳ CentOS 4 - Networking Support
- ↳ CentOS 4 - Server Support
- ↳ CentOS 4 - Security Support
- ↳ CentOS 4 - Webhosting Support
- ↳ CentOS 4 - X86_64,s390(x) and PowerPC Support
- ↳ CentOS 4 - Oracle Installation and Support
- ↳ CentOS 4 - Miscellaneous Questions
- ↳ CentOS 5
- ↳ CentOS 5 - General Support
- ↳ CentOS 5 - Software Support
- ↳ CentOS 5 - Hardware Support
- ↳ CentOS 5 - Networking Support
- ↳ CentOS 5 - Server Support
- ↳ CentOS 5 - Security Support
- ↳ CentOS 5 - Webhosting Support
- ↳ CentOS 5 - X86_64,s390(x) and PowerPC Support
- ↳ CentOS 5 - Oracle Installation and Support
- ↳ CentOS 5 - Miscellaneous Questions