Using audit to log all users commands

[Damian Montaldo]

Hi, this is my first message to this list and I hope that this is the
correct place to post it, don't? If is not, please tell me.
So, thanks in advantage.

For auditing purposes, I want to log in a server all the users
commands and all their arguments [0] using audit (and if is someone
have a better idea, I'm all ears!)
I was reading over the internet and Fedora related posts and I found
[1] that the better way to log users commands, is to add a filter for
the execve system call.

I'm trying to add a rule like this in the /etc/audit/audit.rules
(avoiding the root commands and crons etc)
-a always,entry -S execve -F auid>=500

But it doesn't work for me :(

I think that I have two "things" or problems.

First it doesn't work the ">=" auid filter (and sometimes I have the
auid "unset" so anyway it's not working)
I fixed this adding several rules like:
-a always,entry -S execve -F auid=1000
-a always,entry -S execve -F auid=1001
-a always,entry -S execve -F auid=1002
-a always,entry -S execve -F auid=1003
... and so on

And second, I have a lot of additional context information and I don't want It.
If I can have a simple list like: user command arguments and (less
important) path it's great.
I do some research and again I found [2] this paragraph:

type=SYSCALL ...
type=CWD ...
type=PATH...

The above event, a simple less /var/log/audit/audit.log, wrote three
messages to the log. All of them are closely linked together and you
would not be able
to make sense of one of them without the others. The first message
reveals the following
information:

Confirming that I can't reduce de amount of additional information.

Thanks again and excuse me for my English ;)
Damian.

[0] That's way I can't use sa

[1] For example:
http://osdir.com/ml/linux.redhat.security.audit/2007-04/msg00043.html

[2] It is a complete document about audit made by novell:
www.novell.com/documentation/sled10/pdfdoc/audit_sp1/audit_sp1.pdf