Re: Recording user commands (from RE: Linux-audit Digest, Vol 31, Issue 12)
On Friday 27 April 2007 16:05, Taylor_Tad(a)emc.com wrote:
While a little more verbose than one might like, couldn't you
audit
exec() system calls?
Yes, you could certainly do that. But as you said, it would be more data than
you would want. If you had a policy of no root logins, you could define a
rule something like this:
-a always,entry -S execve -F 'auid>=500'
And that should cut it down to the commands run by real users and not daemons.
However, you might want to only audit successful exec()s.
I don't think execve returns in the normal sense when successful.
-Steve