From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?iso-8859-2?Q?Damian_Tyka=B3owski?= Subject: Problem with watching power commands - key is not logged Date: Sat, 28 Jan 2017 13:16:19 +0100 Message-ID: <00bd01d27960$5598e330$00caa990$@gmail.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7545347709431841002==" Return-path: Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com [10.5.110.39]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v0SCGMvS002544 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 28 Jan 2017 07:16:22 -0500 Received: from mail-lf0-f45.google.com (mail-lf0-f45.google.com [209.85.215.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5D8CD61B9B for ; Sat, 28 Jan 2017 12:16:20 +0000 (UTC) Received: by mail-lf0-f45.google.com with SMTP id x1so87577048lff.0 for ; Sat, 28 Jan 2017 04:16:19 -0800 (PST) Received: from asus (host26-89-206-27.limes.com.pl. [89.206.27.26]) by smtp.gmail.com with ESMTPSA id 9sm2064414ljg.33.2017.01.28.04.16.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 28 Jan 2017 04:16:16 -0800 (PST) Content-Language: pl List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multipart message in MIME format. --===============7545347709431841002== Content-Type: multipart/alternative; boundary="----=_NextPart_000_00BE_01D27968.B75D4B30" Content-Language: pl This is a multipart message in MIME format. ------=_NextPart_000_00BE_01D27968.B75D4B30 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Hi I'm struggling to get proper auditing of usage of power commands, here's what I've got in rules [root@host01 ~]# cat /etc/audit/audit.rules | grep power -w /sbin/shutdown -p rwx -k power -w /sbin/poweroff -p rwx -k power -w /sbin/reboot -p rwx -k power -w /sbin/halt -p rwx -k power -w shutdown -p rwx -k power -w poweroff -p rwx -k power -w reboot -p rwx -k power -w halt -p rwx -k power However despite full host reboot/refreshing rules I'm not getting events with proper key "power" [root@host01 ~]# cat /var/log/audit/audit.log | grep power Events are logged though but without key type=USER_CMD msg=audit(1485604576.755:679): pid=3490 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' type=USER_CMD msg=audit(1485604729.923:658): pid=3428 uid=5004 auid=5004 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/home/user01" cmd="reboot" terminal=pts/0 res=success' Any idea what is wrong? Rules with other keys seems to work. ------=_NextPart_000_00BE_01D27968.B75D4B30 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable

Hi

 

I’m struggling to get proper auditing of usage of = power commands, here’s what I’ve got in = rules

 

[root@host01 ~]# cat /etc/audit/audit.rules | grep = power

-w = /sbin/shutdown -p rwx -k power

-w /sbin/poweroff -p rwx -k = power

-w = /sbin/reboot -p rwx -k power

-w /sbin/halt -p rwx -k = power

-w = shutdown -p rwx -k power

-w poweroff -p rwx -k power

-w reboot -p rwx -k = power

-w = halt -p rwx -k power

 

However despite full host reboot/refreshing rules I’m = not getting events with proper key = “power”

 

[root@host01 ~]# cat /var/log/audit/audit.log | grep = power

<empty>

 

Events are logged though but = without key

 

type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 = uid=3D5004 auid=3D5004 ses=3D1 = subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 = msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" = terminal=3Dpts/0 res=3Dsuccess'

type=3DUSER_CMD = msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004 auid=3D5004 = ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 = msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" = terminal=3Dpts/0 res=3Dsuccess'

 

Any idea what is wrong? Rules with = other keys seems to work…

------=_NextPart_000_00BE_01D27968.B75D4B30-- --===============7545347709431841002== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============7545347709431841002==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Richard Guy Briggs Subject: Re: Problem with watching power commands - key is not logged Date: Sun, 29 Jan 2017 16:40:36 -0500 Message-ID: <20170129214036.GD7067@madcap2.tricolour.ca> References: <00bd01d27960$5598e330$00caa990$@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Content-Disposition: inline In-Reply-To: <00bd01d27960$5598e330$00caa990$@gmail.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Damian =?utf-8?Q?Tyka=C5=82owski?= Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com T24gMjAxNy0wMS0yOCAxMzoxNiwgRGFtaWFuIFR5a2HFgm93c2tpIHdyb3RlOgo+IEhpCgpIaSBE YW1pYW4sCgo+IEknbSBzdHJ1Z2dsaW5nIHRvIGdldCBwcm9wZXIgYXVkaXRpbmcgb2YgdXNhZ2Ug b2YgcG93ZXIgY29tbWFuZHMsIGhlcmUncwo+IHdoYXQgSSd2ZSBnb3QgaW4gcnVsZXMKPiAKPiBb cm9vdEBob3N0MDEgfl0jIGNhdCAvZXRjL2F1ZGl0L2F1ZGl0LnJ1bGVzIHwgZ3JlcCBwb3dlcgo+ IC13IC9zYmluL3NodXRkb3duIC1wIHJ3eCAtayBwb3dlcgo+IC13IC9zYmluL3Bvd2Vyb2ZmIC1w IHJ3eCAtayBwb3dlcgo+IC13IC9zYmluL3JlYm9vdCAtcCByd3ggLWsgcG93ZXIKPiAtdyAvc2Jp bi9oYWx0IC1wIHJ3eCAtayBwb3dlcgo+IC13IHNodXRkb3duIC1wIHJ3eCAtayBwb3dlcgo+IC13 IHBvd2Vyb2ZmIC1wIHJ3eCAtayBwb3dlcgo+IC13IHJlYm9vdCAtcCByd3ggLWsgcG93ZXIKPiAt dyBoYWx0IC1wIHJ3eCAtayBwb3dlcgo+IAo+IEhvd2V2ZXIgZGVzcGl0ZSBmdWxsIGhvc3QgcmVi b290L3JlZnJlc2hpbmcgcnVsZXMgSSdtIG5vdCBnZXR0aW5nIGV2ZW50cwo+IHdpdGggcHJvcGVy IGtleSAicG93ZXIiCj4gCj4gW3Jvb3RAaG9zdDAxIH5dIyBjYXQgL3Zhci9sb2cvYXVkaXQvYXVk aXQubG9nIHwgZ3JlcCBwb3dlcgo+IDxlbXB0eT4KPiAKPiBFdmVudHMgYXJlIGxvZ2dlZCB0aG91 Z2ggYnV0IHdpdGhvdXQga2V5Cj4gCj4gdHlwZT1VU0VSX0NNRCBtc2c9YXVkaXQoMTQ4NTYwNDU3 Ni43NTU6Njc5KTogcGlkPTM0OTAgdWlkPTUwMDQgYXVpZD01MDA0Cj4gc2VzPTEgc3Viaj11bmNv bmZpbmVkX3U6dW5jb25maW5lZF9yOnVuY29uZmluZWRfdDpzMC1zMDpjMC5jMTAyMwo+IG1zZz0n Y3dkPSIvaG9tZS91c2VyMDEiIGNtZD0icmVib290IiB0ZXJtaW5hbD1wdHMvMCByZXM9c3VjY2Vz cycKPiAKPiB0eXBlPVVTRVJfQ01EIG1zZz1hdWRpdCgxNDg1NjA0NzI5LjkyMzo2NTgpOiBwaWQ9 MzQyOCB1aWQ9NTAwNCBhdWlkPTUwMDQKPiBzZXM9MSBzdWJqPXVuY29uZmluZWRfdTp1bmNvbmZp bmVkX3I6dW5jb25maW5lZF90OnMwLXMwOmMwLmMxMDIzCj4gbXNnPSdjd2Q9Ii9ob21lL3VzZXIw MSIgY21kPSJyZWJvb3QiIHRlcm1pbmFsPXB0cy8wIHJlcz1zdWNjZXNzJwo+IAo+IEFueSBpZGVh IHdoYXQgaXMgd3Jvbmc/IFJ1bGVzIHdpdGggb3RoZXIga2V5cyBzZWVtcyB0byB3b3JrLgoKSSBz dXNwZWN0IHlvdSBoYXZlIGFub3RoZXIgcnVsZSB0aGF0IGlzIGNhdGNoaW5nIGl0IGZpcnN0PwoK Ci0gUkdCCgotLQpSaWNoYXJkIEd1eSBCcmlnZ3MgPHJnYkByZWRoYXQuY29tPgpLZXJuZWwgU2Vj dXJpdHkgRW5naW5lZXJpbmcsIEJhc2UgT3BlcmF0aW5nIFN5c3RlbXMsIFJlZCBIYXQKUmVtb3Rl LCBPdHRhd2EsIENhbmFkYQpWb2ljZTogKzEuNjQ3Ljc3Ny4yNjM1LCBJbnRlcm5hbDogKDgxKSAz MjYzNQoKLS0KTGludXgtYXVkaXQgbWFpbGluZyBsaXN0CkxpbnV4LWF1ZGl0QHJlZGhhdC5jb20K aHR0cHM6Ly93d3cucmVkaGF0LmNvbS9tYWlsbWFuL2xpc3RpbmZvL2xpbnV4LWF1ZGl0 From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?Q?Damian_Tyka=C5=82owski?= Subject: Re: Problem with watching power commands - key is not logged Date: Mon, 30 Jan 2017 10:31:31 +0100 Message-ID: References: <00bd01d27960$5598e330$00caa990$@gmail.com> <20170129214036.GD7067@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1402375212582545124==" Return-path: In-Reply-To: <20170129214036.GD7067@madcap2.tricolour.ca> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Richard Guy Briggs Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============1402375212582545124== Content-Type: multipart/alternative; boundary=94eb2c1b4fd01bfa4905474c7b24 --94eb2c1b4fd01bfa4905474c7b24 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I found it out auditctl -l did not list rule as loaded, I checked logs of auditd deeper and found it stopped loading rules at some point due to duplicated rule, after sorting that out, it loaded all rules correctly, sorry for trouble On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs wrote= : > On 2017-01-28 13:16, Damian Tyka=C5=82owski wrote: > > Hi > > Hi Damian, > > > I'm struggling to get proper auditing of usage of power commands, here'= s > > what I've got in rules > > > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > > -w /sbin/shutdown -p rwx -k power > > -w /sbin/poweroff -p rwx -k power > > -w /sbin/reboot -p rwx -k power > > -w /sbin/halt -p rwx -k power > > -w shutdown -p rwx -k power > > -w poweroff -p rwx -k power > > -w reboot -p rwx -k power > > -w halt -p rwx -k power > > > > However despite full host reboot/refreshing rules I'm not getting event= s > > with proper key "power" > > > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > > > > > > Events are logged though but without key > > > > type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 uid=3D5004 = auid=3D5004 > > ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" terminal=3Dpts/0 res=3Dsucce= ss' > > > > type=3DUSER_CMD msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004 = auid=3D5004 > > ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" terminal=3Dpts/0 res=3Dsucce= ss' > > > > Any idea what is wrong? Rules with other keys seems to work. > > I suspect you have another rule that is catching it first? > > > - RGB > > -- > Richard Guy Briggs > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > --94eb2c1b4fd01bfa4905474c7b24 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I found it out
auditctl -l did not list rule= as loaded, I checked logs of auditd deeper and found it stopped loading ru= les at some point due to duplicated rule, after sorting that out, it loaded= all rules correctly, sorry for trouble

On Sun, Jan 29, 2017 at 10:40 PM, Richard G= uy Briggs <rgb@redhat.com> wrote:
On 2017-01-28 13:16, Damian Tyka=C5=82owski wrote:
> Hi

Hi Damian,

> I'm struggling to get proper auditing of usage of power commands, = here's
> what I've got in rules
>
> [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> -w /sbin/shutdown -p rwx -k power
> -w /sbin/poweroff -p rwx -k power
> -w /sbin/reboot -p rwx -k power
> -w /sbin/halt -p rwx -k power
> -w shutdown -p rwx -k power
> -w poweroff -p rwx -k power
> -w reboot -p rwx -k power
> -w halt -p rwx -k power
>
> However despite full host reboot/refreshing rules I'm not getting = events
> with proper key "power"
>
> [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> <empty>
>
> Events are logged though but without key
>
> type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 uid=3D5004= auid=3D5004
> ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1= 023
> msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" ter= minal=3Dpts/0 res=3Dsuccess'
>
> type=3DUSER_CMD msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004= auid=3D5004
> ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1= 023
> msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" ter= minal=3Dpts/0 res=3Dsuccess'
>
> Any idea what is wrong? Rules with other keys seems to work.
I suspect you have another rule that is catching it first?


- RGB

--
Richard Guy Briggs <rgb@redhat.com= >
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.= 2635, Internal: (81) 32635

--94eb2c1b4fd01bfa4905474c7b24-- --===============1402375212582545124== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1402375212582545124==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Buchanan Subject: Re: Problem with watching power commands - key is not logged Date: Mon, 30 Jan 2017 16:32:43 +0000 Message-ID: References: <00bd01d27960$5598e330$00caa990$@gmail.com> <20170129214036.GD7067@madcap2.tricolour.ca> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6810385342998314168==" Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6DC0DB8F44 for ; Mon, 30 Jan 2017 16:32:58 +0000 (UTC) Received: from mail-wj0-f180.google.com (mail-wj0-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 0D8B47E9DC for ; Mon, 30 Jan 2017 16:32:57 +0000 (UTC) Received: by mail-wj0-f180.google.com with SMTP id n2so8094844wjq.3 for ; Mon, 30 Jan 2017 08:32:55 -0800 (PST) In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: =?UTF-8?Q?Damian_Tyka=C5=82owski?= Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============6810385342998314168== Content-Type: multipart/alternative; boundary=94eb2c0d0d360ac1070547525e0a --94eb2c0d0d360ac1070547525e0a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Glad to hear that it's working for you now. Typically, the '-w ' syntax is to watch system files for modification, not so much to audit the execution of the command (like for power events, as you're doing). The way I audit reboot commands (among others) is: -a always,exit -F arch=3Db32 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap -a always,exit -F arch=3Db64 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon -k reboot_sched_swap and -w /var/run/utmp -p wa -k session This might not be sufficient for your needs, but hopefully it's helpful. Stephen On Mon, Jan 30, 2017 at 5:21 AM Damian Tyka=C5=82owski w= rote: > I found it out > auditctl -l did not list rule as loaded, I checked logs of auditd deeper > and found it stopped loading rules at some point due to duplicated rule, > after sorting that out, it loaded all rules correctly, sorry for trouble > > On Sun, Jan 29, 2017 at 10:40 PM, Richard Guy Briggs > wrote: > > On 2017-01-28 13:16, Damian Tyka=C5=82owski wrote: > > Hi > > Hi Damian, > > > I'm struggling to get proper auditing of usage of power commands, here'= s > > what I've got in rules > > > > [root@host01 ~]# cat /etc/audit/audit.rules | grep power > > -w /sbin/shutdown -p rwx -k power > > -w /sbin/poweroff -p rwx -k power > > -w /sbin/reboot -p rwx -k power > > -w /sbin/halt -p rwx -k power > > -w shutdown -p rwx -k power > > -w poweroff -p rwx -k power > > -w reboot -p rwx -k power > > -w halt -p rwx -k power > > > > However despite full host reboot/refreshing rules I'm not getting event= s > > with proper key "power" > > > > [root@host01 ~]# cat /var/log/audit/audit.log | grep power > > > > > > Events are logged though but without key > > > > type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 uid=3D5004 = auid=3D5004 > > ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" terminal=3Dpts/0 res=3Dsucce= ss' > > > > type=3DUSER_CMD msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004 = auid=3D5004 > > ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" terminal=3Dpts/0 res=3Dsucce= ss' > > > > Any idea what is wrong? Rules with other keys seems to work. > > I suspect you have another rule that is catching it first? > > > - RGB > > -- > Richard Guy Briggs > Kernel Security Engineering, Base Operating Systems, Red Hat > Remote, Ottawa, Canada > Voice: +1.647.777.2635, Internal: (81) 32635 > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit --94eb2c0d0d360ac1070547525e0a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Glad to hear that it's working for you now.=C2=A0
=
Typically, the '-w <path/filename>' syntax is = to watch system files for modification, not so much to audit the execution = of the command (like for power events, as you're doing). The way I audi= t reboot commands (among others) is:

-a always,exit -F arch= =3Db32 -S acct -S reboot -S sched_setparam -S sched_setscheduler -S setrlim= it -S swapon -k reboot_sched_swap
-a always,exit -F arch=3Db64 -S acct -= S reboot -S sched_setparam -S sched_setscheduler -S setrlimit -S swapon -k = reboot_sched_swap
and
-w /var/run/utmp -p wa -k session=

This might not be sufficient for your needs, but hopefully it's= helpful.=C2=A0

Stephen

On Mon, Jan 30, 2017 at 5:21 AM Damian Ty= ka=C5=82owski <d47zm3@gmail.com&= gt; wrote:
I found it out
auditctl -l did not list rule as loaded, I checked logs of auditd = deeper and found it stopped loading rules at some point due to duplicated r= ule, after sorting that out, it loaded all rules correctly, sorry for troub= le

On Sun, Jan 29, 2017= at 10:40 PM, Richard Guy Briggs <= rgb= @redhat.com> wrote:
On 2017-01-28 13:16, Damian Tyka=C5=82owski wrote:<= br class=3D"gmail_msg"> > Hi

Hi Damian,

> I'm struggling to get proper auditing of usage of power commands, = here's
> what I've got in rules
>
> [root@host01 ~]# cat /etc/audit/audit.rules | grep power
> -w /sbin/shutdown -p rwx -k power
> -w /sbin/poweroff -p rwx -k power
> -w /sbin/reboot -p rwx -k power
> -w /sbin/halt -p rwx -k power
> -w shutdown -p rwx -k power
> -w poweroff -p rwx -k power
> -w reboot -p rwx -k power
> -w halt -p rwx -k power
>
> However despite full host reboot/refreshing rules I'm not getting = events
> with proper key "power"
>
> [root@host01 ~]# cat /var/log/audit/audit.log | grep power
> <empty>
>
> Events are logged though but without key
>
> type=3DUSER_CMD msg=3Daudit(1485604576.755:679): pid=3D3490 uid=3D5004= auid=3D5004
> ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" ter= minal=3Dpts/0 res=3Dsuccess'
>
> type=3DUSER_CMD msg=3Daudit(1485604729.923:658): pid=3D3428 uid=3D5004= auid=3D5004
> ses=3D1 subj=3Dunconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > msg=3D'cwd=3D"/home/user01" cmd=3D"reboot" ter= minal=3Dpts/0 res=3Dsuccess'
>
> Any idea what is wrong? Rules with other keys seems to work.
I suspect you have another rule that is catching it first?


- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailma= n/listinfo/linux-audit
--94eb2c0d0d360ac1070547525e0a-- --===============6810385342998314168== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============6810385342998314168==--