What the audit does is to record events and save it in log file. audit kernel component: record event and intercept system calls from user applications. auditd: collect information from the kernel component and create log entries.
you could set maximum log file size to be 8MB and rotate it when it’s more than 8MB.
Let’s write the first rule with:
auditctl -w /etc/ssh/sshd_config -p rwxa -k sshconfigchange
( or add rule in
And, restart the service to take an effect
service auditd restart
auditd is running, audit messages will be recorded in the file set in
log_file ( in centos7, the default is
If it’s not running, the audit messages will be in
rsyslog ( store in
Or, send audit log to syslog or other programs which can be done by audit dispatcher ( audispd ) the audispd is a daemon which controls the audit dispatcher. It is normally started by the auditd daemon. The audispd daemon takes audit events and distributes them to the programs which want to analyze them in real time. Configuration of the auditd daemon is stored in
you can activate it in
/etc/audisp/plugins.d/syslog.conf which centos includes this by default.
But you need to enable it first because it’s disabled by default. Enable it by
active = yes.
search audit log event with
ausearch -f /etc/ssh/sshd_config -i
ausearch -m LOGIN --start today -i