Différences

Ci-dessous, les différences entre deux révisions de la page.

--- tech:notes_auditd [2025/10/18 20:41] – Jean-Baptiste
+++ tech:notes_auditd [2025/10/23 10:18] (Version actuelle) – Jean-Baptiste
@@ Ligne 8: / Ligne 8: @@
 * [[Notes uptime reboot shutdown stime]]
+Install
 ~~~bash
 apt-get install auditd audispd-plugins
 ~~~
+Autres - Kernel
+~~~python
+audit_backlog_limit=8192 audit=1
+~~~
+Define Session Audit Rules
+To audit session creation and termination:
+''/etc/audit/rules.d/audit.rules''
+~~~bash
+-w /var/log/audit/audit.log -p wa -k session
+~~~
+To monitor user logins and logouts, you can add:
+~~~bash
+-a always,exit -F arch=b64 -S execve -k session
+-a always,exit -F arch=b32 -S execve -k session
+~~~
+Load the New Rules
+~~~bash
+sudo auditctl -R /etc/audit/rules.d/audit.rules
+~~~
+Verif
+~~~bash
+sudo auditctl -l
+~~~
+## Autres
+Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule:
+~~~bash
+auditctl -w /run/logind -p wa -k logind_activity
+~~~
 FIXME