USER_CMD
Steve Grubb
sgrubb at redhat.com
Thu Jul 14 19:50:12 UTC 2016
On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> So how do I get it then?
You just run a command under sudo and it does it. There is a chance that your
copy of sudo does not have auditing enabled. You can try using ldd to see if
its linked to the audit libraries. If not, then its not supported.
-Steve
> I found a 9-year old mail from you about bash
> --audit and aubash but that isn't working for me.
> > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb at redhat.com> wrote:
> >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> >> Sorry, I guess I should have been more clear ... what sort of rule would
> >> make it show up? I'm not seeing it.
> >
> > Its hardwired. You don't need to add a rule. The rules that you add always
> > result in SYSCALL events. You should also add a key to every rule as a
> > reminder of what it means. So, any SYSCALL event that does not have a key
> > is trigger by something else like a SELinux AVC.
> >
> > -Steve
> >
> >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> >>>> How does one get USER_CMD records into the audit.log?
> >>>
> >>> The sudo command is the usual way.
> >>>
> >>> -Steve
> >>>
> >>> --
> >>> Linux-audit mailing list
> >>> Linux-audit at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list