Re: USER_CMD

On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote: > So how do I get it then? You just run a command under sudo and it does it. There is a chance that your copy of sudo does not have auditing enabled. You can try using ldd to see if its linked to the audit libraries. If not, then its not supported. -Steve > I found a 9-year old mail from you about bash > --audit and aubash but that isn't working for me. > > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote: > >> Sorry, I guess I should have been more clear ... what sort of rule would > >> make it show up? I'm not seeing it. > > > > Its hardwired. You don't need to add a rule. The rules that you add always > > result in SYSCALL events. You should also add a key to every rule as a > > reminder of what it means. So, any SYSCALL event that does not have a key > > is trigger by something else like a SELinux AVC. > > > > -Steve > > > >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb(a)redhat.com&gt; wrote: > >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote: > >>>> How does one get USER_CMD records into the audit.log? > >>> > >>> The sudo command is the usual way. > >>> > >>> -Steve > >>> > >>> -- > >>> Linux-audit mailing list > >>> Linux-audit(a)redhat.com > >>> https://www.redhat.com/mailman/listinfo/linux-audit