Security Task: Audit Login and Sudo Activity¶
Goal¶
Review system access history and privileged command usage for accountability.
Steps¶
-
Review last logins:
last -a | head -
Check failed login attempts:
journalctl _COMM=sshd | grep 'Failed password' -
Sudo usage:
cat /var/log/secure | grep sudo -
Live sudo tracking (if enabled):
journalctl -u auditd
Preventive Actions¶
- Log forwarding to central server
- Enable TTY logging for sudo
Tools¶
last,journalctl,auditd,ausearch,/var/log/secure