Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tech:notes_auditd [2025/03/24 15:06] – créée - modification externe 127.0.0.1
+++ tech:notes_auditd [2025/10/23 10:18] (Version actuelle) – Jean-Baptiste
@@ Ligne 1: / Ligne 1: @@
+<!DOCTYPE markdown>
 {{tag>Brouillon Sécurité}}
-= Notes auditd
+# Notes auditd
 Voir :
@@ Ligne 7: / Ligne 8: @@
 * [[Notes uptime reboot shutdown stime]]
+Install
+~~~bash
+apt-get install auditd audispd-plugins
+~~~
+Autres - Kernel
+~~~python
+audit_backlog_limit=8192 audit=1
+~~~
+Define Session Audit Rules
+To audit session creation and termination:
+''/etc/audit/rules.d/audit.rules''
+~~~bash
+-w /var/log/audit/audit.log -p wa -k session
+~~~
+To monitor user logins and logouts, you can add:
+~~~bash
+-a always,exit -F arch=b64 -S execve -k session
+-a always,exit -F arch=b32 -S execve -k session
+~~~
+Load the New Rules
+~~~bash
+sudo auditctl -R /etc/audit/rules.d/audit.rules
+~~~
+Verif
+~~~bash
+sudo auditctl -l
+~~~
+## Autres
+Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule:
+~~~bash
+auditctl -w /run/logind -p wa -k logind_activity
+~~~
 FIXME