Re: USER_CMD

On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote: > Sorry, I guess I should have been more clear ... what sort of rule would > make it show up? I'm not seeing it. Its hardwired. You don't need to add a rule. The rules that you add always result in SYSCALL events. You should also add a key to every rule as a reminder of what it means. So, any SYSCALL event that does not have a key is trigger by something else like a SELinux AVC. -Steve >> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: >>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote: >>> How does one get USER_CMD records into the audit.log? >> >> The sudo command is the usual way. >> >> -Steve >> >> -- >> Linux-audit mailing list >> Linux-audit(a)redhat.com >> https://www.redhat.com/mailman/listinfo/linux-audit