[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Example



Title: Example
Let me rephrase.  It would report an audit record only if a general user uses the 'date' command, but do nothing if root execute it.


From: linux-audit-bounces redhat com [mailto:linux-audit-bounces redhat com] On Behalf Of Fulda, Paul (Space Technology)
Sent: Tuesday, September 23, 2008 11:18 AM
To: Linux-audit redhat com
Subject: Example

Can someone give me an example of how to audit the "date" command in the audit.rules file.  I would like for it to report only failures for a user using the command.  Root using the command would report nothing.  I can get this working for file watches but not for executables using:

-a exit,always  -w /etc/shadow -S open -F success!=1


Thanks!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]