Quote:
|
Originally Posted by skywalker850i
dir:/var/audit
flags:lo,ad,cc,ex
minfree:20
naflags:lo
23:AUE_EXECVE:execve(2):ps,ex,cc
|
Since you added
cc which contains
AUE_EXECVE you don't need
ex.
What other events have you tagged with
cc?
Quote:
|
Now, I cann't see things like (cd / or ls -ltr) command or i may need to look deep into the log files. In addation, the size of the logs is in Gigs, it looks like i am going to need to acquire more disk space soon!!
|
It is strange that you see events from the
ot and
cl classes, as you don't have those in
audit_control. What does
audit_user look like?
Could you run
auditconfig -getpinfo pid where pid is the shell where you want to see the
exec(s)'s?
To pick out the
exec(2)'s you should run:
auditreduce -m AUE_EXECVE /path/to/audit-trail | praudit
Quote:
|
the idea behind this auditing thing is, to have all commands logged now, i didn't think the output is going to be like that. Now, if i get a request from management to produce the command set for one the users is going to be a nightmare to have something that will explaine to them what that users did in a nice layout.
|
If you want to work with just one user, you can use the
-u aid option to
auditreduce in conjunction with the example above. That way you'll just get the
exec(2)'s belonging to that user.
Quote:
|
any idea when the gui will be downloadable
|
The
beta will be out in about one to two months. It is more or less ready now, we there is a lot of polishing to do...
