On 01/11/2010 10:42 AM, Damian Montaldo wrote: > Hi, this is my first message to this list and I hope that this is the > correct place to post it, don't? If is not, please tell me. > So, thanks in advantage. > > For auditing purposes, I want to log in a server all the users > commands and all their arguments [0] using audit (and if is someone > have a better idea, I'm all ears!) > I was reading over the internet and Fedora related posts and I found > [1] that the better way to log users commands, is to add a filter for > the execve system call. > > I'm trying to add a rule like this in the /etc/audit/audit.rules > (avoiding the root commands and crons etc) > -a always,entry -S execve -F auid>=500 > > But it doesn't work for me :( > > I think that I have two "things" or problems. > > First it doesn't work the ">=" auid filter (and sometimes I have the > auid "unset" so anyway it's not working) > I fixed this adding several rules like: > -a always,entry -S execve -F auid=1000 > -a always,entry -S execve -F auid=1001 > -a always,entry -S execve -F auid=1002 > -a always,entry -S execve -F auid=1003 > .. and so on > > And second, I have a lot of additional context information and I don't want It. > If I can have a simple list like: user command arguments and (less > important) path it's great. > I do some research and again I found [2] this paragraph: > > type=SYSCALL ... > type=CWD ... > type=PATH... > > The above event, a simple less /var/log/audit/audit.log, wrote three > messages to the log. All of them are closely linked together and you > would not be able > to make sense of one of them without the others. The first message > reveals the following > information: > > Confirming that I can't reduce de amount of additional information. > > Thanks again and excuse me for my English ;) > Damian. > > [0] That's way I can't use sa > > [1] For example: > http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html > > [2] It is a complete document about audit made by novell: > www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > I think you want the linux-audit@xxxxxxxxxx list for this question. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
