When implementing CIS controls I came across a control to test whether 'an audit rule exists' that enables logging of successful and failed login attempts.
However, it seems that this event is logged in /var/log/audit.log (by auditd I assume) by default:
- Installed audit package
- no config changes to auditd.conf or audit rules
- no rules defined, the auditd.conf and rules are default
My questions are:
1. Is there any service that uses the audit deamon by default? Or what makes the audit service generating logdata without any rules defined (beside the -D, -e 1)
2. What is logged by default without any rules in /var/log/audit.log (I have seen logins, su and sudo)
3. How can I test if the CIS control is being met i.e. having an empty ruleset but seeing login information in audit.log (in my opinion I should test if auditd is running, and there is no 'audit=0' defined in grub.conf).
Any help is appreciated.
Support for security such as Firewalls and securing linux
1 post • Page 1 of 1