I think there are a few ways you can do this with auditd: (These both assume you've setup pam_loginuid)
If your admins are a finite set of uids, you could do something like auditctl -a exit,always -F auid=<admin1> -F success=1 auditctl -a exit,always -F auid=<admin2> -F success=1 ... auditctl -a exit,always -F auid=<adminN> -F success=1 or if by administrators you mean actions run as root (eg, with sudo or su), you can do something like auditctl -a exit,always -F auid=!0 -F euid=0 -F success=1 You'll probably want to restrict which syscalls you care about, eg open/execve/chmod/unlink whatever. Those rules as they're written will log a lot more than you likely want. On Wed, Feb 8, 2012 at 6:30 AM, Jender, Raymond [USA] <[email protected]> wrote: > How would you set up audit.rules to log any action by administrators? > > > > Thanks, > > > > Ray > > > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- Peter Moody Google 1.650.253.7306 Security Engineer pgp:0xC3410038 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
