I have written my own version of aureport. It is still buggy etc, but it
does already provide something interesting.
For example, it can show command lines. It takes something in the log
like:
uid=1000 euid=0
argc=4 a0="sudo" a1="cp" a2="qwerty"
a3="/etc/xxx"
uid = 0 euid=0
argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"
and puts out:
uid euid command
--- ---- -------
1000 0 sudo cp qwerty /etc/xxx
0 0 cp qwerty /etc/xxx
which is interesting.
My question is whether I could have done something like this with
aureport.
(This is part of a much bigger question as to how audit can be used to
meet PCI requirements.)
Thanks - Michael
----------------