Damian, > For auditing purposes, I want to log in a server all the users > commands and all their arguments [0] using audit (and if is someone > have a better idea, I'm all ears!) I'm not quite sure this is what you want, but as you are all ears... TOMOYO Linux (version 1.7) has the capability to collect detailed information including command line arguments and environment variables. The following was obtained on Fedora 12 (with TOMOYO Linux kernel). Caller Program = /bin/bash Process Status = pid=1273 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 Requested Program = /bin/ls argc=4 envc=24 argv[0] = "ls" argv[1] = "--color=auto" argv[2] = "-l" argv[3] = "/" envp[0] = "HOSTNAME=tomoyo" envp[1] = "SELINUX_ROLE_REQUESTED=" envp[2] = "TERM=vt100" envp[3] = "SHELL=/bin/bash" envp[4] = "HISTSIZE=1000" envp[5] = "SSH_CLIENT=192.168.99.1\04041807\04022" envp[6] = "SELINUX_USE_CURRENT_RANGE=" envp[7] = "SSH_TTY=/dev/pts/0" envp[8] = "USER=root" envp[9] = "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35: *.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:" envp[10] = "MAIL=/var/spool/mail/root" envp[11] = "PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin" envp[12] = "PWD=/root" envp[13] = "LANG=en_US.UTF-8" envp[14] = "SELINUX_LEVEL_REQUESTED=" envp[15] = "SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass" envp[16] = "HISTCONTROL=ignoreboth" envp[17] = "SHLVL=1" envp[18] = "HOME=/root" envp[19] = "LOGNAME=root" envp[20] = "SSH_CONNECTION=192.168.99.1\04041807\040192.168.99.136\04022" envp[21] = "LESSOPEN=|/usr/bin/lesspipe.sh\040%s" envp[22] = "G_BROKEN_FILENAMES=1" envp[23] = "_=/bin/ls" If these are too much for your needs, you can pick up the fields you need, of course. For detailed information, please refer the following page. http://tomoyo.sourceforge.jp/1.7/ssh-recording-cmdline.html.en Best regards, Toshiharu Harada haradats@xxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
