Audit logging

Steve G linux_4ever at
Fri Aug 4 10:08:09 UTC 2006

>If I'm reading this correctly, this could be a "Using SELinux to 
>perform self-auditing" (or whatever) topic, including why you would do that, 
>why SELinux is a good way to do it,

SE Linux is the wrong approach for this. This is more in the domain of what the
audit system does. A simple case of auditing root actions is handled by this:

-a always,entry -S execve -F "auid>500" -F uid=0

This will capture all execve parameters for people that logged in with normal
user account and have changed uid to root. You have to forbid peoople logging in
directly as root, too.

It might be better if we update bash to log commands instead of getting every


Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the fedora-selinux-list mailing list