Samhain | ||
---|---|---|
<<< Previous | Configuration — samhain, the file monitor | Next >>> |
samhain can be compiled to monitor login/logout events of system users. For initialization, the system utmp file is searched for users currently logged in. To recognize changes (i.e. logouts or logins), the system wtmp file is then used. This facility is configured in the Utmp section of the configuration file:
[Utmp] # # activate (0 for switching off) # LoginCheckActive=1 # # interval between checks (in seconds) # LoginCheckInterval=600 # # these are the severities (see section the Section called Severity levels in the chapter called Configuration of logging facilities) # SeverityLogin=info SeverityLogout=info # # multiple logins by same user # SeverityLoginMulti=crit |
<<< Previous | Home | Next >>> |
Detecting Kernel rootkits | Up | Checking mounted filesystem policies |