Ah, I see. I didn't get that it was sudo itself doing it (assuming it was linked to libaudit). Yes, in 12.04, libaudit is not part of the base system. I've tried it in a vagrant box under 16.04, ldd reports libaudit is linked, and it works fine there.
I think we'll just skip pam_tty_audit (since it records passwords on 12.04's kernel) and USER_CMD on our 12.04 boxes. Thanks! On Thu, Jul 14, 2016 at 12:50 PM, Steve Grubb <[email protected]> wrote: > On Thursday, July 14, 2016 12:44:02 PM EDT Chris Nandor wrote: > > So how do I get it then? > > You just run a command under sudo and it does it. There is a chance that > your > copy of sudo does not have auditing enabled. You can try using ldd to see > if > its linked to the audit libraries. If not, then its not supported. > > -Steve > > > I found a 9-year old mail from you about bash > > --audit and aubash but that isn't working for me. > > > On Jul 14, 2016, at 12:06, Steve Grubb <[email protected]> wrote: > > >> On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote: > > >> Sorry, I guess I should have been more clear ... what sort of rule > would > > >> make it show up? I'm not seeing it. > > > > > > Its hardwired. You don't need to add a rule. The rules that you add > always > > > result in SYSCALL events. You should also add a key to every rule as a > > > reminder of what it means. So, any SYSCALL event that does not have a > key > > > is trigger by something else like a SELinux AVC. > > > > > > -Steve > > > > > >>> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <[email protected]> > wrote: > > >>>> On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote: > > >>>> How does one get USER_CMD records into the audit.log? > > >>> > > >>> The sudo command is the usual way. > > >>> > > >>> -Steve > > >>> > > >>> -- > > >>> Linux-audit mailing list > > >>> [email protected] > > >>> https://www.redhat.com/mailman/listinfo/linux-audit > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
