On Thursday, December 01, 2011 10:12:48 PM MS PRAVEEN wrote: > Can some body help me here to find a rule/ solution to audit only commands > are its arguments executed by users and root . I dont need any more other > events audited since that can fill my free space .
Well, the problem is how can you tell a command being executed from a script calling various programs? Also how can you tell that a file being sourced is a command? (I think in that case a file is opened for read and the shell executes it.) I think the bottom line is its pretty hard to tell. So, what we have is key stroke logging. This gets more than commands, but wouldn't you want to log what people do if its that important? If someone knew that only commands are being logged, they could start python and just start typing commands which won't be otherwise logged. There is a man page for this, pam_tty_audit. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
