USER_CMD
Chris Nandor
pudge at pobox.com
Thu Jul 14 19:44:02 UTC 2016
So how do I get it then? I found a 9-year old mail from you about bash --audit and aubash but that isn't working for me.
> On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb at redhat.com> wrote:
>
>> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
>> Sorry, I guess I should have been more clear ... what sort of rule would
>> make it show up? I'm not seeing it.
>
> Its hardwired. You don't need to add a rule. The rules that you add always
> result in SYSCALL events. You should also add a key to every rule as a
> reminder of what it means. So, any SYSCALL event that does not have a key is
> trigger by something else like a SELinux AVC.
>
> -Steve
>
>>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb at redhat.com> wrote:
>>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
>>>> How does one get USER_CMD records into the audit.log?
>>>
>>> The sudo command is the usual way.
>>>
>>> -Steve
>>>
>>> --
>>> Linux-audit mailing list
>>> Linux-audit at redhat.com
>>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
More information about the Linux-audit
mailing list