Auditoria en Linux

auditd es una utilidad de Linux disponible en sus repositorios e instalable por ejemplo desde Synaptic.

Va creando un fichero log muy configurable, es ligero y trabaja en el kernel.

Recién instalado ya muestra resultados interesantes con el comando aureport.

Summary Report
======================
Range of time in logs: 05/30/19 12:17:27.430 - 05/30/19 19:25:01.042
Selected time for report: 05/30/19 12:17:27 - 05/30/19 19:25:01.042
Number of changes in configuration: 9
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 27
Number of authentications: 2
Number of failed authentications: 9
Number of users: 3
Number of terminals: 7
Number of host names: 11
Number of executables: 6
Number of commands: 1
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 88
Number of events: 438

Saber más: man, XPLG , Solvetic.