Auditd is very noisy in logging. That means one possibly has to dig a lot log records.
As you see above the key audit_all_commands is in the line. So you can grep for your configured string. And uid in the first line shows 0 which is root. But the auid-value shows 1004, which is the real user id(which originally logged on to the system before using su or sudo. So it's a good idea to restrict direct root access and only allow sudo for becoming root).
The second line is linked with the first line through the audit-id field(audit(1575314015.062:20)) and shows you the linked command with parameters executed.
What can you do with Linux-Audit?
Trace commands with rules to include or exclude specific events
Trace File System Activities (Access with type: read, write, permission change, execute) on selected files or directory trees
Trace Standard Linux Management activities(user/group management, Firewall-Configuration, Audit-Log-Config-Changes,...)
setup logging to remote sites or syslogs
use it to log important information into it yourself
I worked the last 3 month with it and did a lot with it. For example i created a little perl script which uses inotify & git & audit to log diffs of config file changes into audit log which could then be tracked down to the causing user accounts.
:D could any one answer my previous question...
just looked through logg and found no such question that I had asked.. please any input would help \..
:confused: (2 Replies)
Hi All
Plz guide me in setting ssh on local machine so that password will not be asked.
I have written a script abc.ksh on machineA to execute a script sampletest.ksh available on machineB
Conent of abc.ksh is as follows
ssh -q bali@machineB sh ClaimGenFeed/claim/sampletest.ksh... (1 Reply)
Dear All
i am working on windows plattform and i am interested in Aix so i have done IBM Aix certification, can you please suggest Aix filed is good for my carrier,currently i am working as Desktop admin
edit by bakunin: please understand that the question you raised has nothing to do with the... (1 Reply)
Hello all, I am trying to pass or trying to get a variable assinged...but seemed like i am doing something wrong here....
so lets say abc.txt(spool the output out) is my file, where i am doing select * Fro mv$version inside my DB and getting some info.
-/home/oracle/logs >cat abc.txt
SQL>... (1 Reply)
Hi,
Whenever I open my unix box,after providing username and password I get the following message.
Are you authorised to use this computer as detailed above? (Y)es/(N)o : y
Export: Release 10.2.0.2.0 - Production on Mon May 16 16:00:15 2011
Copyright (c) 1982, 2005, Oracle. All rights... (5 Replies)
i have tried to use a sudo command from a user level . but instead of asking for user password it asked for root password . how should i go about it .
james@opensuse:/etc> sudo ifconfig
root's password:
And i wish to ask how should i allow a list of command to be allowed to used for a... (4 Replies)