Auditing Linux Security

Determine your Linux auditing policies. The “Configuring and Using Auditing” section in Oracle Linux: Security Guide for Release 6 can help you plan for what events to audit, where your audit logs should be saved, and how you want to review them.

Some useful logs and commands for auditing Linux security include:

View var/log/secure as root to see the history of login attempts and other access messages.
The command, last | more provides a history of users logged in.
The /var/log/audit/audit.log.[0-9] keeps a log of access attempts that were denied by SELinux. You must be user root to view these.