On Wednesday, October 09, 2013 06:28:49 PM Maupertuis Philippe wrote: > I want to track what people are doing when then change their userid. > Basically I would like to write : > -a exit,never -F arch=b32 -S all -F auid=4294967295 > -a exit,never -F arch=b64 -S all -F auid=4294967295 > -a exit,always -F arch=b32 -S all -F auid>1000 -F uid!=auid -k userchange > -a exit,always -F arch=b64 -S all -F auid>1000 -F uid!=auid -k userchange > > However it seems that it's not a valid syntax. > Is there a way to achieve that.
Yes there is. It requires a newish kernel and user space. But the rules are like this: -a always,exit -F arch=b32 -S all -F auid!=4294967295 -C auid!=uid -a exit,always -F arch=b32 -S all -F auid>1000 -F auid!=4294967295 -C auid!=uid -k userchange And the same for b64. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit