Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
Linux Audit framework (audit logs) | Page | The Linux Audit system is an non-default auditing and logging framework that can be configured to log multiple type of operations, such as authentication successes or failures, process executions, file accesses, user commands executed in a TTY, etc. The Linux Audit framework implements kernel-mode hooks to monitor user-mode processes and generate audit telemetry. The auditd daemon is the main user-mode component of the Linux Audit framework, that receives audit messages sent by the kernel and other components (such as pam). The Linux Audit system operates on rules, that define what records will be captured in the audit logs. If no rules are defined, which is the case by default, only distribution specific records and telemetry from other components may be logged to audit log file by the auditd daemon. Depending on the rule configured, multiple events can be generated for the same operation. An event can be split in multiple records, with each record of the same event sharing the same timestamp and same unique identifier. Each record is associated with a given type: USER_AUTH, USER_LOGIN, EXECVE, SYSCALL, OPENAT, PROCTITLE, USER_CMD, TTY, SOCKADDR, etc. |
auditd daemon configuration: /etc/audit/auditd.conf Audit rules: /etc/audit/audit.rules /etc/audit/rules.d/ Audit logs: /var/log/audit.log* /var/log/audit/audit.log.*.gz |
Shell histories | Page | The shell history log files are linked to the shell history feature, that tracks a user command line history for a given shell (Bash, Zsh, etc.). While easily bypassed or deleted, the history log files can be a precious source of information on actions performed by a given user. The shell history log files contain commands entered in an (interactive) shell, with no additional meta information, such as timestamp (by default). By default, the shell history of a shell session is stored in memory until the shell session is closed. The behavior of the history feature can be modified by setting a number of environment variables (HISTFILE, HISTCONTROL, HISTTIMEFORMAT, HISTSIZE, HISTFILESIZE, etc.). |
Bash history: ~/.bash_history Zsh history: ~/.zsh_history Non default history settings may be defined through environment variables set in Shell configuration files: .profile, .bash_login / .zlogin, .bashrc / .zshrc, .bash_profile / .zprofile |
viminfo | Page | The vim text editor logs a number of operations in the text-based ".viminfo" log file. The log file notably includes information on the last 100 files accessed (by default) through vim. Under the "jumplist" section up to 50 file accesses are referenced, with each file access associated with two entries, one for the file opening and one for the file closing. Each entry includes the file path and an epoch timestamp of occurrence (file opening or closing). Subsequent openings of the same file do not erase previous entries for the file. Under the "# History of marks within files" section up to 100 file accesses are referenced, with only a single entry for a given file, which references the last closing of the file. This section may thus contain more historical data than the "jumplist" section. |
~/.viminfo |
View on GitHub