Using audit to log all users commands

Damian Montaldo damianmontaldo at
Mon Jan 11 19:10:44 UTC 2010

On Mon, Jan 11, 2010 at 12:51 PM, Daniel J Walsh <dwalsh at> wrote:
> On 01/11/2010 10:42 AM, Damian Montaldo wrote:
>> Hi, this is my first message to this list and I hope that this is the
>> correct place to post it, don't? If is not, please tell me.
>> So, thanks in advantage.
>> For auditing purposes, I want to log in a server all the users
>> commands and all their arguments [0] using audit (and if is someone
>> have a better idea, I'm all ears!)
>> I was reading over the internet and Fedora related posts and I found
>> [1] that the better way to log users commands, is to add a filter for
>> the execve system call.
>> I'm trying to add a rule like this in the /etc/audit/audit.rules
>> (avoiding the root commands and crons etc)
>> -a always,entry -S execve -F auid>=500
>> But it doesn't work for me :(
>> I think that I have two "things" or problems.
>> First it doesn't work the ">=" auid filter (and sometimes I have the
>> auid "unset" so anyway it's not working)
>> I fixed this adding several rules like:
>> -a always,entry -S execve -F auid=1000
>> -a always,entry -S execve -F auid=1001
>> -a always,entry -S execve -F auid=1002
>> -a always,entry -S execve -F auid=1003
>> .. and so on
>> And second, I have a lot of additional context information and I don't want It.
>> If I can have a simple list like: user command arguments and (less
>> important) path it's great.
>> I do some research and again I found [2] this paragraph:
>> type=SYSCALL ...
>> type=CWD ...
>> type=PATH...
>> The above event, a simple less /var/log/audit/audit.log, wrote three
>> messages to the log. All of them are closely linked together and you
>> would not be able
>> to make sense of one of them without the others. The first message
>> reveals the following
>> information:
>> Confirming that I can't reduce de amount of additional information.
>> Thanks again and excuse me for my English ;)
>> Damian.
>> [0] That's way I can't use sa
>> [1] For example:
>> [2] It is a complete document about audit made by novell:
>> --
>> selinux mailing list
>> selinux at
> I think you want the linux-audit at list for this question.

Yes thanks, but I try to subscribe to that list 3 times starting from
the last friday...

Subscribing to Linux-audit
Subscribe to Linux-audit by filling out the following form. This is a
closed list, which means your subscription will be held for approval.
You will be notified of the list moderator's decision by email. This
is also a hidden list, which means that the list of members is
available only to the list administrator.

I don't know why a list needs to be "closed and moderated" :(

Thanks again.

More information about the selinux mailing list