Ask Your Question
0

Why auditd is able to get login attempts if I haven't any defined rule in *.rules file?

asked 2019-01-24 07:26:44 -0600

q2dg gravatar image

Hello.

I want to record SSH login attempts with Auditd service. It works but I don't understand one thing: I haven't defined any rule in /etc/audit/rules.d/*.rules file (that's is, auditctl -l shows nothing) but anyway Auditd is able to record these events. Why? I thought Audit worked as a "opt-in" recording events starting from nothing if there wasn't any defined rule but I realized it doesn't. Where can I see what Auditd is able to record into audit.log and what not?

Thanks a lot

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-01-28 17:43:05 -0600

q2dg gravatar image
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-01-24 07:26:44 -0600

Seen: 23 times

Last updated: Jan 28