AdminSysGNULinux

Outils pour utilisateurs

Outils du site

Piste : reverse_proxy_http_headers_-_disable_compressed_response_-_nginx test notes_apparmor notes_git_annex pb_rsync notes_wasm_webassembly notes_webasm_wasm_webassembly notes_ansible_plugins notes_portmap_rpcbind notes_auditd
tech:notes_auditd
,

Notes auditd

Voir :

Install 

apt-get install auditd audispd-plugins

Autres - Kernel 

audit_backlog_limit=8192 audit=1

Define Session Audit Rules To audit session creation and termination: /etc/audit/rules.d/audit.rules 

-w /var/log/audit/audit.log -p wa -k session

To monitor user logins and logouts, you can add: 

-a always,exit -F arch=b64 -S execve -k session
-a always,exit -F arch=b32 -S execve -k session

Load the New Rules 

sudo auditctl -R /etc/audit/rules.d/audit.rules

Verif 

sudo auditctl -l

Autres

Auditd: Monitor logind events with auditd to detect suspicious activity. Example rule: 

auditctl -w /run/logind -p wa -k logind_activity

FIXME

tech/notes_auditd.txt · Dernière modification : de Jean-Baptiste
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki