Re: audit.rules

I think there are a few ways you can do this with auditd: (These both assume you've setup pam_loginuid) If your admins are a finite set of uids, you could do something like auditctl -a exit,always -F auid=<admin1> -F success=1 auditctl -a exit,always -F auid=<admin2> -F success=1 ... auditctl -a exit,always -F auid=<adminN> -F success=1 or if by administrators you mean actions run as root (eg, with sudo or su), you can do something like auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1 You'll probably want to restrict which syscalls you care about, eg open/execve/chmod/unlink whatever. Those rules as they're written will log a lot more than you likely want. On Wed, Feb 8, 2012 at 6:30 AM, Jender, Raymond [USA] <jender_raymond(a)bah.com&gt; wrote: -- Peter Moody      Google    1.650.253.7306 Security Engineer  pgp:0xC3410038