USER_CMD

Steve Grubb sgrubb at redhat.com
Thu Jul 14 19:50:12 UTC 2016


On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> So how do I get it then?

You just run a command under sudo and it does it. There is a chance that your 
copy of sudo does not have auditing enabled. You can try using ldd to see if 
its linked to the audit libraries. If not, then its not supported.

-Steve

> I found a 9-year old mail from you about bash
> --audit and aubash but that isn't working for me.
> > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb at redhat.com> wrote:
> >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> >> Sorry, I guess I should have been more clear ... what sort of rule would
> >> make it show up?  I'm not seeing it.
> > 
> > Its hardwired. You don't need to add a rule. The rules that you add always
> > result in SYSCALL events. You should also add a key to every rule as a
> > reminder of what it means. So, any SYSCALL event that does not have a key
> > is trigger by something else like a SELinux AVC.
> > 
> > -Steve
> > 
> >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> >>>> How does one get USER_CMD records into the audit.log?
> >>> 
> >>> The sudo command is the usual way.
> >>> 
> >>> -Steve
> >>> 
> >>> --
> >>> Linux-audit mailing list
> >>> Linux-audit at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/linux-audit





More information about the Linux-audit mailing list