How to make sure a specific event is logged with thge proper message type?
Steve Grubb
sgrubb at redhat.com
Mon Jul 6 16:01:33 UTC 2015
On Monday, July 06, 2015 02:02:32 PM Alarie, Maxime wrote:
> Hi,
>
> I have this rule in audit.rules :
> -w /usr/sbin/useradd -p x -k user_modification
Note that this rule will create a SYSCALL event. To find it later, you would
run:
ausearch --start today -k user_modification
> When I add a user, and do a ausearch -m ADD_USER I get 0 match. Am I
> doing something wrong here? I am using version 1.8.
This event is a user space originating event and it depends on shadow-utils
being correctly patched to generate the events specified in:
http://people.redhat.com/sgrubb/audit/user-account-lifecycle.txt
If it doesn't, you should file a bug report against the shadow-utils package of
your distribution so that they know about the issue.
-Steve
More information about the Linux-audit
mailing list