[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

auditing daemon activity (restart, stop, start)



Hi,
I am wondering is there is a way to monitor with auditd deamon activity like a start and stop.
I see in the logs of auditd that some activities with crond and/or pam are logged like :

msg='PAM session close: user=root exe="/usr/sbin/crond"
...
msg='PAM accounting: user=nagios exe="/usr/sbin/sshd"

and I am wondering if I can catch a user that trying to stop or start a daemon like syslog-ng.

Also, why if that I have no rules defined, auditd logs those things anyway?

Thanks


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]