Hi, I am wondering is there is a way to monitor with auditd deamon activity like a start and stop. I see in the logs of auditd that some activities with crond and/or pam are logged like :
msg='PAM session close: user=root exe="/usr/sbin/crond" ... msg='PAM accounting: user=nagios exe="/usr/sbin/sshd" and I am wondering if I can catch a user that trying to stop or start a daemon like syslog-ng. Also, why if that I have no rules defined, auditd logs those things anyway? Thanks -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
