Hello.
I want to record SSH login attempts with Auditd service. It works but I don't understand one thing: I haven't defined any rule in /etc/audit/rules.d/*.rules file (that's is, auditctl -l shows nothing) but anyway Auditd is able to record these events. Why? I thought Audit worked as a "opt-in" recording events starting from nothing if there wasn't any defined rule but I realized it doesn't. Where can I see what Auditd is able to record into audit.log and what not?
Thanks a lot
