Audit framework

  • Info
auditctl -s # reports the status of the Audit syste
systemctl status systemd-journald-audit.socket
systemctl status auditd.service
auditctl -l # lists all currently loaded Audit rules
  • Config
auditctl -D # deletes all currently loaded Audit rules
augenrules --load
  • Reportes
aureport -n # Look for abnormalities


Control Rules

-D      # Delete all previous rules
-b 8192 # Set buffer size
-e 2    # Make the configuration immutable -- reboot is required to change audit rules
-f 2    # Panic when a failure occurs
-r 100  # Generate at most 100 audit messages per second
--loginuid-immutable 1  # Make login UID immutable once it is set (may break containers)


Última modificación August 8, 2023: icons (c6ce76c)