{{tag>Brouillon Sécurité}} # Notes auditd Voir : * [[Audit modification droits systeme de fichier avec auditd]] * [[Notes uptime reboot shutdown stime]] Install ~~~bash apt-get install auditd audispd-plugins ~~~ Autres - Kernel ~~~python audit_backlog_limit=8192 audit=1 ~~~ Define Session Audit Rules To audit session creation and termination: ''/etc/audit/rules.d/audit.rules'' ~~~bash -w /var/log/audit/audit.log -p wa -k session ~~~ To monitor user logins and logouts, you can add: ~~~bash -a always,exit -F arch=b64 -S execve -k session -a always,exit -F arch=b32 -S execve -k session ~~~ Load the New Rules ~~~bash sudo auditctl -R /etc/audit/rules.d/audit.rules ~~~ Verif ~~~bash sudo auditctl -l ~~~ ## Autres Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule: ~~~bash auditctl -w /run/logind -p wa -k logind_activity ~~~ FIXME