Ah, I see. I didn't get that it was sudo itself doing it (assuming it was linked to libaudit). Yes, in 12.04, libaudit is not part of the base system. I've tried it in a vagrant box under 16.04, ldd reports libaudit is linked, and it works fine there.

I think we'll just skip pam_tty_audit (since it records passwords on 12.04's kernel) and USER_CMD on our 12.04 boxes.

Thanks!

On Thu, Jul 14, 2016 at 12:50 PM, Steve Grubb <sgrubb@redhat.com> wrote:

On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> So how do I get it then?

You just run a command under sudo and it does it. There is a chance that your
copy of sudo does not have auditing enabled. You can try using ldd to see if
its linked to the audit libraries. If not, then its not supported.

-Steve

> I found a 9-year old mail from you about bash
> --audit and aubash but that isn't working for me.
> > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb@redhat.com> wrote:
> >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> >> Sorry, I guess I should have been more clear ... what sort of rule would
> >> make it show up? I'm not seeing it.
> >
> > Its hardwired. You don't need to add a rule. The rules that you add always
> > result in SYSCALL events. You should also add a key to every rule as a
> > reminder of what it means. So, any SYSCALL event that does not have a key
> > is trigger by something else like a SELinux AVC.
> >
> > -Steve
> >
> >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> >>>> How does one get USER_CMD records into the audit.log?
> >>>
> >>> The sudo command is the usual way.
> >>>
> >>> -Steve
> >>>
> >>> --
> >>> Linux-audit mailing list
> >>> Linux-audit@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/linux-audit