Install auditd using the apt package manager.

Verify the auditd service using the systemctl command.

Configure the $/$etc$/$audit$/$auditd$.$conf file with the following parameters using sudo:

Log file location is $/$var$/$log$/$audit$/$audit$.$log$.$

Number of retained logs is $10.$

Maximum log file size is $50.$

Check to make sure there are no existing rules.

Create a rule that will monitor $/$etc$/$passwd and $/$etc$/$shadow for any changes.

Restart the auditd daemon.

Check to verify the new rules have taken place.

Add a new rule to audit the $/$usr directory.

Verify the new rule by listing auditcl rules.

Perform a search in the authentication report for user authentication attempts.

Make sure to disable your current sudo access with sudo $-$k$.$ This option revokes your current sudo session, requiring you to have to enter your password on your next sudo command.

Perform a sudo su three times using the wrong password, then run the same report again.

Create a new user, criminal, then perform a search for account modifications.