aureport and command lines

aureport and command lines

[Michael Mather]

I have written my own version of aureport. It is still buggy etc, but it
does already provide something interesting.

For example, it can show command lines. It takes something in the log
like:
   uid=1000 euid=0
   argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"

   uid = 0 euid=0
   argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"

and puts out:
    uid   euid   command
    ---   ----   -------
   1000      0   sudo cp qwerty /etc/xxx
      0      0   cp qwerty /etc/xxx

which is interesting.

My question is whether I could have done something like this with
aureport.

(This is part of a much bigger question as to how audit can be used to
meet PCI requirements.)

Thanks - Michael
----------------

Re: aureport and command lines

[Steve Grubb]

On Sunday, July 22, 2012 10:31:23 AM Michael Mather wrote:
> I have written my own version of aureport. It is still buggy etc, but it
> does already provide something interesting.
> 
> For example, it can show command lines. It takes something in the log
> like:
>    uid=1000 euid=0
>    argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"
> 
>    uid = 0 euid=0
>    argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"
> 
> and puts out:
>     uid   euid   command
>     ---   ----   -------
>    1000      0   sudo cp qwerty /etc/xxx
>       0      0   cp qwerty /etc/xxx
> 
> which is interesting.
> 
> My question is whether I could have done something like this with
> aureport.

You can't today. I think this is an omission in the current design. I will try 
to fix aureport to output this.

-Steve