Hello Steve! OK, the last puzzle peace was loginuid=0 !! -.-
My current audit rules for the use-case "logging root user actions, without too much noise" # # delete all rules -D # set backlog_limit, default=320 -b 8192 # do not audit cron jobs -a user,never -F subj_type=crond_t -a exit,never -F subj_type=crond_t # audit root actions from users switching to root -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0 -k root-commands # audit root actions with loginuid root -a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands -a always,exit -F arch=x86_64 -S execve -F auid=0 -F uid=0 -k root-commands #EOF Thank you for the tips. I wonder how you manage doing all that great stuff and still be able to find time supporting people. Great job! Best regards, Orhan
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
