How can `auditd` log in `/var/log/audit/audit.log` even `auditctl -l` is empty?

Question

My server is centos7.6

[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862):  cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

The problem is I never passwd_changes recently.what's the meaning of comm="crond" exe="/usr/sbin/crond" key="passwd_changes"?

score 0 · Answer 1 · answered Sep 14 '19 at 00:48

I think you will find that other capability such as the pam libraries will also send messages to auditd.

For a good reference on the fields see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files

You also get some more information if you run the ausearch program over your raw logs. For example running ausearch over the above shows

# ausearch -i -if /tmp/x.1
----
type=CRED_REFR msg=audit(03/13/2019 10:48:21.528:25860) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=CRED_DISP msg=audit(03/13/2019 10:48:21.570:25861) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=USER_END msg=audit(03/13/2019 10:48:21.574:25863) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=PROCTITLE msg=audit(03/13/2019 10:48:21.574:25862) : proctitle=/usr/sbin/crnd -n 
type=PATH msg=audit(03/13/2019 10:48:21.574:25862) : item=0 name=/etc/passwd inode=1573099 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/13/2019 10:48:21.574:25862) :  cwd=/ 
type=SYSCALL msg=audit(03/13/2019 10:48:21.574:25862) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fd2239664d2 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=20513 pid=12659 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3578 comm=crond exe=/usr/sbin/crond key=passwd_changes 
#

How can `auditd` log in `/var/log/audit/audit.log` even `auditctl -l` is empty?

1 Answers1