Ask Your Question

Why auditd is able to get login attempts if I haven't any defined rule in *.rules file?

asked 2019-01-24 07:26:44 -0500

q2dg gravatar image


I want to record SSH login attempts with Auditd service. It works but I don't understand one thing: I haven't defined any rule in /etc/audit/rules.d/*.rules file (that's is, auditctl -l shows nothing) but anyway Auditd is able to record these events. Why? I thought Audit worked as a "opt-in" recording events starting from nothing if there wasn't any defined rule but I realized it doesn't. Where can I see what Auditd is able to record into audit.log and what not?

Thanks a lot

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-01-28 17:43:05 -0500

q2dg gravatar image
edit flag offensive delete link more

Question Tools

1 follower


Asked: 2019-01-24 07:26:44 -0500

Seen: 33 times

Last updated: Jan 28 '19