From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Mather <michael.mather@teksavvy.com>
Subject: aureport and command lines
Date: Sun, 22 Jul 2012 10:31:23 -0400
Message-ID: <1342967483.2518.21.camel@debian.domain_name>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com
	[10.5.110.19])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id q6MEVK1u021092
	for <linux-audit@redhat.com>; Sun, 22 Jul 2012 10:31:20 -0400
Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com
	[206.248.154.182])
	by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q6MEVJPU027185
	for <linux-audit@redhat.com>; Sun, 22 Jul 2012 10:31:19 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

I have written my own version of aureport. It is still buggy etc, but it
does already provide something interesting.

For example, it can show command lines. It takes something in the log
like:
   uid=1000 euid=0
   argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"

   uid = 0 euid=0
   argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"

and puts out:
    uid   euid   command
    ---   ----   -------
   1000      0   sudo cp qwerty /etc/xxx
      0      0   cp qwerty /etc/xxx

which is interesting.

My question is whether I could have done something like this with
aureport.

(This is part of a much bigger question as to how audit can be used to
meet PCI requirements.)

Thanks - Michael
----------------