tech:notes_auditd
Différences
Ci-dessous, les différences entre deux révisions de la page.
| Prochaine révision | Révision précédente | ||
| tech:notes_auditd [2025/03/24 15:06] – créée - modification externe 127.0.0.1 | tech:notes_auditd [2025/10/23 10:18] (Version actuelle) – Jean-Baptiste | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| + | < | ||
| {{tag> | {{tag> | ||
| - | = Notes auditd | + | # Notes auditd |
| Voir : | Voir : | ||
| Ligne 7: | Ligne 8: | ||
| * [[Notes uptime reboot shutdown stime]] | * [[Notes uptime reboot shutdown stime]] | ||
| + | Install | ||
| + | ~~~bash | ||
| + | apt-get install auditd audispd-plugins | ||
| + | ~~~ | ||
| + | |||
| + | Autres - Kernel | ||
| + | ~~~python | ||
| + | audit_backlog_limit=8192 audit=1 | ||
| + | ~~~ | ||
| + | |||
| + | |||
| + | Define Session Audit Rules | ||
| + | To audit session creation and termination: | ||
| + | ''/ | ||
| + | ~~~bash | ||
| + | -w / | ||
| + | ~~~ | ||
| + | |||
| + | |||
| + | To monitor user logins and logouts, you can add: | ||
| + | ~~~bash | ||
| + | -a always,exit -F arch=b64 -S execve -k session | ||
| + | -a always,exit -F arch=b32 -S execve -k session | ||
| + | ~~~ | ||
| + | |||
| + | Load the New Rules | ||
| + | ~~~bash | ||
| + | sudo auditctl -R / | ||
| + | ~~~ | ||
| + | |||
| + | Verif | ||
| + | ~~~bash | ||
| + | sudo auditctl -l | ||
| + | ~~~ | ||
| + | |||
| + | |||
| + | ## Autres | ||
| + | |||
| + | |||
| + | Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule: | ||
| + | ~~~bash | ||
| + | auditctl -w /run/logind -p wa -k logind_activity | ||
| + | ~~~ | ||
| FIXME | FIXME | ||
tech/notes_auditd.1742825205.txt.gz · Dernière modification : de 127.0.0.1