Hi, this is my first message to this list and I hope that this is the correct place to post it, don't? If is not, please tell me. So, thanks in advantage. For auditing purposes, I want to log in a server all the users commands and all their arguments [0] using audit (and if is someone have a better idea, I'm all ears!) I was reading over the internet and Fedora related posts and I found [1] that the better way to log users commands, is to add a filter for the execve system call. I'm trying to add a rule like this in the /etc/audit/audit.rules (avoiding the root commands and crons etc) -a always,entry -S execve -F auid>=500 But it doesn't work for me :( I think that I have two "things" or problems. First it doesn't work the ">=" auid filter (and sometimes I have the auid "unset" so anyway it's not working) I fixed this adding several rules like: -a always,entry -S execve -F auid=1000 -a always,entry -S execve -F auid=1001 -a always,entry -S execve -F auid=1002 -a always,entry -S execve -F auid=1003 ... and so on And second, I have a lot of additional context information and I don't want It. If I can have a simple list like: user command arguments and (less important) path it's great. I do some research and again I found [2] this paragraph: type=SYSCALL ... type=CWD ... type=PATH... The above event, a simple less /var/log/audit/audit.log, wrote three messages to the log. All of them are closely linked together and you would not be able to make sense of one of them without the others. The first message reveals the following information: Confirming that I can't reduce de amount of additional information. Thanks again and excuse me for my English ;) Damian. [0] That's way I can't use sa [1] For example: http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html [2] It is a complete document about audit made by novell: www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
