Other audit configurations

Other audit configurations

[Thomas, Daniel J.]

[-- Attachment #1.1: Type: text/plain, Size: 536 bytes --]

Hello again, list,

My officemate is looking into some other auditd configurations, but we
were also looking for more information for something that might not be
related.  We're running Redhat Enterprise 4 with audit 1.0.14-1.  We're
trying to figure out where some of the other information is coming from
that is in our audit.log file.  It seems to be pam information and such.
Where is that configured?  Back in Redhat 9, pam messages were in
messages.log and only audit messages were in audit.log.

Thanks!

-Dan Thomas

[-- Attachment #1.2: Type: text/html, Size: 1056 bytes --]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Thomas, Daniel J..vcf --]
[-- Type: text/x-vcard; name="Thomas, Daniel J..vcf", Size: 289 bytes --]

BEGIN:VCARD
VERSION:2.1
N:Thomas;Daniel
FN:Thomas, Daniel J.
ORG:JHU/APL;JWAD/JMS
TEL;WORK;VOICE:7924
ADR;WORK:;26-338;Mailstop: 26-332
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:26-338=0D=0AMailstop: 26-332
EMAIL;PREF;INTERNET:Daniel.Thomas@jhuapl.edu
REV:20030529T144431Z
END:VCARD

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: Other audit configurations

[Steve Grubb]

On Thursday 11 January 2007 14:01, Thomas, Daniel J. wrote:
> We're trying to figure out where some of the other information is coming
> from that is in our audit.log file.  It seems to be pam information and
> such. 

Yes. Pam has been hooked because of the requirement to audit all use of 
authentication mechanisms. 

> Where is that configured?  

Its not configurable, its hardcoded into the pam libraries. In RHEL5 and FC6 
you can explicitly exclude those events if you wanted to.

-Steve