USER_CMD
Steve Grubb
sgrubb at redhat.com
Thu Jul 14 19:06:20 UTC 2016
On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> Sorry, I guess I should have been more clear ... what sort of rule would
> make it show up? I'm not seeing it.
Its hardwired. You don't need to add a rule. The rules that you add always
result in SYSCALL events. You should also add a key to every rule as a
reminder of what it means. So, any SYSCALL event that does not have a key is
trigger by something else like a SELinux AVC.
-Steve
> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> > On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > > How does one get USER_CMD records into the audit.log?
> >
> > The sudo command is the usual way.
> >
> > -Steve
> >
> > --
> > Linux-audit mailing list
> > Linux-audit at redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list