RHEL 5 Audit Question

[RayAID]

I am running RHEL 5.5 2.6.18-194.26.1.el5.

I am investigating the auditing (auditd) and trying to learn how it works.

I have verified that auditd is running as a process. The audit.rules file only has :

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

But I am seeing many entries in the audit.log file and I am wondering how they are getting populated there? For instance, I see the ssh attempts, both success and failed attempts in audit.log. What is controlling this? And when is the audit.rules used?

If you can point me to documentation that explains this...great!

Thanks,

Ray

[Rubberman]

Read the auditd and related man pages. You should learn most of what you need there. In the SEE ALSO section you will find references to associated man pages, such as auditd.conf.

[RayAID]

Read the auditd and related man pages. You should learn most of what you need there. In the SEE ALSO section you will find references to associated man pages, such as auditd.conf.

The audit.rules dictates what is to be audited. My audit.rules has nothing in it
yet I am getting entries in the audit.log file?

[RayAID]

I brought this up before but got side tracked.

I am not the administrator of this box but I am doing some security assessment.

I am trying to figure out just how things are getting audited and logged. The ps -ef shows auditd is running. However, the audit.rules file is not configured for this. SElinux is off. I can see things like ssh access being logged and new users created
in the /var/log/secure log file. But again, nothing in the audit.rules to dictate this.

What am I missing?

Thanks

Ray

[RayAID]

So, no one can answer this?