Good day,

 

I am new with auditd, and got some issues..

 

For example,  When I add or delete a user,  I cannot see the entry with ausearch –m ADD_USER, it returns 0 match, BUT  its logging it under USER_AUTH. If I do a ausearch –x adduser, ill thee se event audit.log with the EXECVE Type:

 

# ausearch -x useradd | grep titi

type=EXECVE msg=audit(1435677075.900:49410): argc=2 a0="useradd" a1="titi"

 

I also tried to  find a full description of all message types  returned by ausearch –m  but could not find any..  Any help on this would be appreciated as well.

 

Many thanks.