Notes auditd

Voir :

• Audit modification droits systeme de fichier avec auditd
• Notes uptime reboot shutdown stime

Install

apt-get install auditd audispd-plugins

Autres - Kernel

audit_backlog_limit=8192 audit=1

Define Session Audit Rules To audit session creation and termination: /etc/audit/rules.d/audit.rules

-w /var/log/audit/audit.log -p wa -k session

To monitor user logins and logouts, you can add:

-a always,exit -F arch=b64 -S execve -k session
-a always,exit -F arch=b32 -S execve -k session

Load the New Rules

sudo auditctl -R /etc/audit/rules.d/audit.rules

Verif

sudo auditctl -l

Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule:

auditctl -w /run/logind -p wa -k logind_activity