Re: how to use auditd to record all user command history

On Mon, Oct 7, 2013 at 1:30 PM, zhu xiuming xiuming...@gmail.com wrote: This is correct. The problem is, this records every keystrokes and even the password of the users. While I only care about the user command history, I surely do not want to know their passwords. There is another problem

Re: [PATCH] audit: Add cmdline to taskinfo output

On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: On some devices, the cmdline and task info vary. For instance, on Android, the cmdline is set to the package name, and the task info is the name of the VM, which is not very helpful. The additional cmdline output only runs if the

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb sgr...@redhat.com wrote: On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: On some devices, the cmdline and task info vary. For instance, on Android, the cmdline is set to the package name, and the task info is the name of the VM,

Re: [PATCH] audit: Add cmdline to taskinfo output

Hello, On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote: On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb sgr...@redhat.com wrote: On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: I'm 100% ok with the dynamic option changing it from NULL to a real value IMO a like

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tue, Oct 29, 2013 at 12:01 PM, Steve Grubb sgr...@redhat.com wrote: Hello, On Tuesday, October 29, 2013 10:44:48 AM William Roberts wrote: On Tue, Oct 29, 2013 at 8:14 AM, Steve Grubb sgr...@redhat.com wrote: On Monday, October 28, 2013 04:50:38 PM William Roberts wrote: I'm 100% ok

auid?

Hey all, I'm trying to find a definition of auid, besides audit UID. If user Joe with UID 1814 logs in and sudo to application account british which has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an su - to root, is their auid 0? Thanks! Leam -- Mind on a

Re: auid?

James, thanks! I thought that was it, but I have to brief on recommended audit.rules changes and hate telling someone something when I'm not sure. Leam On Tue, Oct 29, 2013 at 3:43 PM, CHAPLIN, JAMES (CTR) james.chap...@cbp.dhs.gov wrote: His auid will be 1814 and does not change as long as

What constitutes -f failure?

The -f flag is set to 0, 1, or 2 and specifies what to do on failure. Is that failure any logging event? Or just logging events when the backlog is higher than whatever the -b option sets it to? Thanks! Leam -- Mind on a Mission http://leamhall.blogspot.com/ -- Linux-audit mailing list

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote: to small for most package names, and already contains the VM command. I really have no information of what Android App has created the issue. This is true for all arches. Usually you can have it pretty narrowly defined

Re: auid?

On Tuesday, October 29, 2013 03:39:35 PM leam hall wrote: I'm trying to find a definition of auid, besides audit UID. If user Joe with UID 1814 logs in and sudo to application account british which has a UID of 1776, is the auid of Joe's action 1814 or 1776? If someone does an su - to root, is

Re: What constitutes -f failure?

On Tuesday, October 29, 2013 03:51:53 PM leam hall wrote: The -f flag is set to 0, 1, or 2 and specifies what to do on failure. Is that failure any logging event? Or just logging events when the backlog is higher than whatever the -b option sets it to? Thanks! Leam From the auditctl man

Re: What constitutes -f failure?

Steve, thanks! Leam On Tue, Oct 29, 2013 at 4:17 PM, Steve Grubb sgr...@redhat.com wrote: On Tuesday, October 29, 2013 03:51:53 PM leam hall wrote: The -f flag is set to 0, 1, or 2 and specifies what to do on failure. Is that failure any logging event? Or just logging events when the

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb sgr...@redhat.com wrote: On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote: to small for most package names, and already contains the VM command. I really have no information of what Android App has created the issue.

Re: ABIs, syscall tables, and the AUDIT_ARCH_* defines

On Tue, 2013-10-29 at 17:28 -0400, Paul Moore wrote: Take x86_64 and x32 as an example (think of x32 as a 32-bit version of x86_64). Both x32 and x86_64 use the AUDIT_ARCH_X86_64 value and general calling convention, but they have a different syscall table. I guess a good question is is

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tue, Oct 29, 2013 at 1:25 PM, William Roberts bill.c.robe...@gmail.comwrote: On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb sgr...@redhat.com wrote: On Tuesday, October 29, 2013 12:12:29 PM William Roberts wrote: to small for most package names, and already contains the VM

Re: [PATCH] audit: Add cmdline to taskinfo output

On Tue, Oct 29, 2013 at 4:24 PM, William Roberts bill.c.robe...@gmail.comwrote: On Tue, Oct 29, 2013 at 1:25 PM, William Roberts bill.c.robe...@gmail.com wrote: On Tue, Oct 29, 2013 at 12:55 PM, Steve Grubb sgr...@redhat.com wrote: On Tuesday, October 29, 2013 12:12:29 PM William