On Sunday, July 22, 2012 10:31:23 AM Michael Mather wrote: > I have written my own version of aureport. It is still buggy etc, but it > does already provide something interesting. > > For example, it can show command lines. It takes something in the log > like: > uid=1000 euid=0 > argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx" > > uid = 0 euid=0 > argc=4 a0="cp" a1="qwerty" a2="/etc/xxx" > > and puts out: > uid euid command > --- ---- ------- > 1000 0 sudo cp qwerty /etc/xxx > 0 0 cp qwerty /etc/xxx > > which is interesting. > > My question is whether I could have done something like this with > aureport.
You can't today. I think this is an omission in the current design. I will try to fix aureport to output this. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
