What does auditd log by default (i.e. when no rules are defined?)

These events are coming from other capability (pam, openssh, etc) that send audit events to the auditing service. If you don't want any events, add audit=0 to the kernel command line args.

If you want to know what capability that may want to use the auditing service try something like

[burn@fc24 ~]$ rpm -q --whatrequires audit-libs
libsemanage-2.5-2.fc24.x86_64
shadow-utils-4.2.1-8.fc24.x86_64
pam-1.2.1-5.fc24.x86_64
util-linux-2.28-3.fc24.x86_64
openssh-7.2p2-9.fc24.x86_64
passwd-0.79-8.fc24.x86_64
gdm-3.20.1-3.fc24.x86_64
pam-1.2.1-5.fc24.i686
[burn@fc24 ~]$ 

By default, auditd logs security-related commands. This is not something that can be seen in the config files, it happens by default when auditd is running. You can get a summary of what commands have been logged on your system recently using:

sudo aureport -x --summary

I have been unable to find a list of all the commands that are logged by default. My CentOS 7 system logs these by default (not an exhaustive list, just what's shown in the logs):

/usr/sbin/crond
/usr/libexec/dovecot/auth
/usr/sbin/sshd
/usr/bin/sudo
/usr/sbin/xtables-multi
/usr/lib/systemd/systemd
/usr/bin/passwd

It also logs log-ins, log-outs and SELinux-related messages.

Two articles that were used for reference:

  • How To Use the Linux Auditing System on CentOS 7
  • How To Write Custom System Audit Rules on CentOS 7