auditing daemon activity (restart, stop, start)
romain.pelissier at bell.ca
romain.pelissier at bell.ca
Wed Sep 29 15:01:29 UTC 2010
Hi,
I am wondering is there is a way to monitor with auditd deamon activity like a start and stop.
I see in the logs of auditd that some activities with crond and/or pam are logged like :
msg='PAM session close: user=root exe="/usr/sbin/crond"
...
msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"
and I am wondering if I can catch a user that trying to stop or start a daemon like syslog-ng.
Also, why if that I have no rules defined, auditd logs those things anyway?
Thanks
More information about the Linux-audit
mailing list