So how do I get it then? I found a 9-year old mail from you about bash --audit and aubash but that isn't working for me.
> On Jul 14, 2016, at 12:06, Steve Grubb <[email protected]> wrote: > >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote: >> Sorry, I guess I should have been more clear ... what sort of rule would >> make it show up? I'm not seeing it. > > Its hardwired. You don't need to add a rule. The rules that you add always > result in SYSCALL events. You should also add a key to every rule as a > reminder of what it means. So, any SYSCALL event that does not have a key is > trigger by something else like a SELinux AVC. > > -Steve > >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <[email protected]> wrote: >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote: >>>> How does one get USER_CMD records into the audit.log? >>> >>> The sudo command is the usual way. >>> >>> -Steve >>> >>> -- >>> Linux-audit mailing list >>> [email protected] >>> https://www.redhat.com/mailman/listinfo/linux-audit > > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
