On Mon, Jan 11, 2010 at 12:51 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > On 01/11/2010 10:42 AM, Damian Montaldo wrote: >> Hi, this is my first message to this list and I hope that this is the >> correct place to post it, don't? If is not, please tell me. >> So, thanks in advantage. >> >> For auditing purposes, I want to log in a server all the users >> commands and all their arguments [0] using audit (and if is someone >> have a better idea, I'm all ears!) >> I was reading over the internet and Fedora related posts and I found >> [1] that the better way to log users commands, is to add a filter for >> the execve system call. >> >> I'm trying to add a rule like this in the /etc/audit/audit.rules >> (avoiding the root commands and crons etc) >> -a always,entry -S execve -F auid>=500 >> >> But it doesn't work for me :( >> >> I think that I have two "things" or problems. >> >> First it doesn't work the ">=" auid filter (and sometimes I have the >> auid "unset" so anyway it's not working) >> I fixed this adding several rules like: >> -a always,entry -S execve -F auid=1000 >> -a always,entry -S execve -F auid=1001 >> -a always,entry -S execve -F auid=1002 >> -a always,entry -S execve -F auid=1003 >> .. and so on >> >> And second, I have a lot of additional context information and I don't want It. >> If I can have a simple list like: user command arguments and (less >> important) path it's great. >> I do some research and again I found [2] this paragraph: >> >> type=SYSCALL ... >> type=CWD ... >> type=PATH... >> >> The above event, a simple less /var/log/audit/audit.log, wrote three >> messages to the log. All of them are closely linked together and you >> would not be able >> to make sense of one of them without the others. The first message >> reveals the following >> information: >> >> Confirming that I can't reduce de amount of additional information. >> >> Thanks again and excuse me for my English ;) >> Damian. >> >> [0] That's way I can't use sa >> >> [1] For example: >> http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html >> >> [2] It is a complete document about audit made by novell: >> www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux >> >> > I think you want the linux-audit@xxxxxxxxxx list for this question. Yes thanks, but I try to subscribe to that list 3 times starting from the last friday... Subscribing to Linux-audit Subscribe to Linux-audit by filling out the following form. This is a closed list, which means your subscription will be held for approval. You will be notified of the list moderator's decision by email. This is also a hidden list, which means that the list of members is available only to the list administrator. I don't know why a list needs to be "closed and moderated" :( Thanks again. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
