Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Why auditd is able to get login attempts if I haven't any defined rule in *.rules file?


I want to record SSH login attempts with Auditd service. It works but I don't understand one thing: I haven't defined any rule in /etc/audit/rules.d/*.rules file (that's is, auditctl -l shows nothing) but anyway Auditd is able to record these events. Why? I thought Audit worked as a "opt-in" recording events starting from nothing if there wasn't any defined rule but I realized it doesn't. Where can I see what Auditd is able to record into audit.log and what not?

Thanks a lot