Page 1 of 1

auditd default config (no rules defined) but audit.log is filled with data

Posted: 2019/01/10 17:00:59
by nachtwaker69
When implementing CIS controls I came across a control to test whether 'an audit rule exists' that enables logging of successful and failed login attempts.

However, it seems that this event is logged in /var/log/audit.log (by auditd I assume) by default:
- Installed audit package
- no config changes to auditd.conf or audit rules
- no rules defined, the auditd.conf and rules are default

My questions are:
1. Is there any service that uses the audit deamon by default? Or what makes the audit service generating logdata without any rules defined (beside the -D, -e 1)
2. What is logged by default without any rules in /var/log/audit.log (I have seen logins, su and sudo)
3. How can I test if the CIS control is being met i.e. having an empty ruleset but seeing login information in audit.log (in my opinion I should test if auditd is running, and there is no 'audit=0' defined in grub.conf).

Any help is appreciated.

Kind regards.