Voir :

• Audit modification droits systeme de fichier avec auditd
• Notes uptime reboot shutdown stime

Install

apt-get install auditd audispd-plugins

Define Session Audit Rules To audit session creation and termination: /etc/audit/rules.d/audit.rules

-w /var/log/audit/audit.log -p wa -k session

To monitor user logins and logouts, you can add:

-a always,exit -F arch=b64 -S execve -k session
-a always,exit -F arch=b32 -S execve -k session

Load the New Rules

sudo auditctl -R /etc/audit/rules.d/audit.rules

Verif

sudo auditctl -l