Let me rephrase. It would report an audit record only if a general user uses the 'date' command, but do nothing if root execute it.
________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fulda, Paul (Space Technology) Sent: Tuesday, September 23, 2008 11:18 AM To: [email protected] Subject: Example Can someone give me an example of how to audit the "date" command in the audit.rules file. I would like for it to report only failures for a user using the command. Root using the command would report nothing. I can get this working for file watches but not for executables using: -a exit,always -w /etc/shadow -S open -F success!=1 Thanks!
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
