Hello,
We have setup the audit log on a Redhat linux 7.3 machine
We have setup various rules, so far successfully. Our last
requirement is to have audit log, when a user execute the su - or su
- root, or sudo su
I write the following rule , but it does not work
-a always,exit -S su -F auid>=200 -F auid!=4294967295 -F
key=su-execution
How can I audit log the execution of the su command?
Best regards
Maria