aureport and command lines
Steve Grubb
sgrubb at redhat.com
Sat Aug 18 13:19:25 UTC 2012
On Sunday, July 22, 2012 10:31:23 AM Michael Mather wrote:
> I have written my own version of aureport. It is still buggy etc, but it
> does already provide something interesting.
>
> For example, it can show command lines. It takes something in the log
> like:
> uid=1000 euid=0
> argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"
>
> uid = 0 euid=0
> argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"
>
> and puts out:
> uid euid command
> --- ---- -------
> 1000 0 sudo cp qwerty /etc/xxx
> 0 0 cp qwerty /etc/xxx
>
> which is interesting.
>
> My question is whether I could have done something like this with
> aureport.
You can't today. I think this is an omission in the current design. I will try
to fix aureport to output this.
-Steve
More information about the Linux-audit
mailing list