Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| Linux Audit framework (audit logs) | Page | The Linux Audit system is an non-default auditing and logging framework that can be configured to log multiple type of operations, such as authentication successes or failures, process executions, file accesses, user commands executed in a TTY, etc. The Linux Audit framework implements kernel-mode hooks to monitor user-mode processes and generate audit telemetry. The auditd daemon is the main user-mode component of the Linux Audit framework, that receives audit messages sent by the kernel and other components (such as pam). The Linux Audit system operates on rules, that define what records will be captured in the audit logs. If no rules are defined, which is the case by default, only distribution specific records and telemetry from other components may be logged to audit log file by the auditd daemon. Depending on the rule configured, multiple events can be generated for the same operation. An event can be split in multiple records, with each record of the same event sharing the same timestamp and same unique identifier. Each record is associated with a given type: USER_AUTH, USER_LOGIN, EXECVE, SYSCALL, OPENAT, PROCTITLE, USER_CMD, TTY, SOCKADDR, etc. |
auditd daemon configuration: /etc/audit/auditd.conf Audit rules: /etc/audit/audit.rules /etc/audit/rules.d/ Audit logs: /var/log/audit.log* /var/log/audit/audit.log.*.gz |
| Shell histories | Page | The shell history log files are linked to the shell history feature, that tracks a user command line history for a given shell (Bash, Zsh, etc.). While easily bypassed or deleted, the history log files can be a precious source of information on actions performed by a given user. The shell history log files contain commands entered in an (interactive) shell, with no additional meta information, such as timestamp (by default). By default, the shell history of a shell session is stored in memory until the shell session is closed. The behavior of the history feature can be modified by setting a number of environment variables (HISTFILE, HISTCONTROL, HISTTIMEFORMAT, HISTSIZE, HISTFILESIZE, etc.). |
Bash history: ~/.bash_history Zsh history: ~/.zsh_history Non default history settings may be defined through environment variables set in Shell configuration files: .profile, .bash_login / .zlogin, .bashrc / .zshrc, .bash_profile / .zprofile |
View on GitHub