All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: Linux-audit@redhat.com, Andreas Hasenack <andreas@canonical.com>
Subject: Re: Default logging with no rules
Date: Thu, 19 Nov 2020 09:34:04 -0500	[thread overview]
Message-ID: <3080581.aeNJFYEL58@x2> (raw)
In-Reply-To: <CANYNYEGD9843AVu787kvczXyqBx1_+9PXW8g6TDUac2PyQ9O+g@mail.gmail.com>

On Thursday, November 19, 2020 9:04:24 AM EST Andreas Hasenack wrote:
> I read in an old presentation (~2011) that these come from "trusted
> apps",

There are only 10 - 15 apps that are "trusted apps". They are logging events 
that are required by various security standards such as common criteria, DISA 
STIG, PCI DSS, etc.

> and in fact any process with cap_audit_write (iirc) can log
> such events. 

While that may be true, it is generally not the case that they do in fact 
log.

> The tip was that exclude/never list/action could be used to reduce this
> noise, is that still the case and recommended approach?

If you must, sure. Trusted app events are in the 1100-1199 range. But which 
app is causing the problems that you see? In the past, we had to silence 
crond because it was noisy.

> Or is there a way to use audit with only the rules defined in /etc/audit/
> rules.d?

The rules in that dir are insufficient to fulfill regulatory requirements. If 
you are doing some kind of syscall experiment, then I can see that you might 
want to turn them off. But if your aim is meeting some kind of standard, then 
other events are required.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit


  reply	other threads:[~2020-11-19 14:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-19 14:04 Default logging with no rules Andreas Hasenack
2020-11-19 14:34 ` Steve Grubb [this message]
2020-11-19 14:59   ` Andreas Hasenack

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3080581.aeNJFYEL58@x2 \
    --to=sgrubb@redhat.com \
    --cc=Linux-audit@redhat.com \
    --cc=andreas@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.