USER_CMD

Chris Nandor pudge at pobox.com
Thu Jul 14 21:28:39 UTC 2016 

Ah, I see.  I didn't get that it was sudo itself doing it (assuming it was
linked to libaudit).  Yes, in 12.04, libaudit is not part of the base
system.  I've tried it in a vagrant box under 16.04, ldd reports libaudit
is linked, and it works fine there.

I think we'll just skip pam_tty_audit (since it records passwords on
12.04's kernel) and USER_CMD on our 12.04 boxes.

Thanks!


On Thu, Jul 14, 2016 at 12:50 PM, Steve Grubb <sgrubb at redhat.com> wrote:

> On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote:
> > So how do I get it then?
>
> You just run a command under sudo and it does it. There is a chance that
> your
> copy of sudo does not have auditing enabled. You can try using ldd to see
> if
> its linked to the audit libraries. If not, then its not supported.
>
> -Steve
>
> > I found a 9-year old mail from you about bash
> > --audit and aubash but that isn't working for me.
> > > On Jul 14, 2016, at 12:06, Steve Grubb <sgrubb at redhat.com> wrote:
> > >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> > >> Sorry, I guess I should have been more clear ... what sort of rule
> would
> > >> make it show up?  I'm not seeing it.
> > >
> > > Its hardwired. You don't need to add a rule. The rules that you add
> always
> > > result in SYSCALL events. You should also add a key to every rule as a
> > > reminder of what it means. So, any SYSCALL event that does not have a
> key
> > > is trigger by something else like a SELinux AVC.
> > >
> > > -Steve
> > >
> > >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb at redhat.com>
> wrote:
> > >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > >>>> How does one get USER_CMD records into the audit.log?
> > >>>
> > >>> The sudo command is the usual way.
> > >>>
> > >>> -Steve
> > >>>
> > >>> --
> > >>> Linux-audit mailing list
> > >>> Linux-audit at redhat.com
> > >>> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160714/b8e53efe/attachment.htm>

More information about the Linux-audit mailing list