From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: aureport and command lines
Date: Sat, 18 Aug 2012 09:19:25 -0400
Message-ID: <1884526.aT5QDbLnms@x2>
References: <1342967483.2518.21.camel@debian.domain_name>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1342967483.2518.21.camel@debian.domain_name>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Sunday, July 22, 2012 10:31:23 AM Michael Mather wrote:
> I have written my own version of aureport. It is still buggy etc, but it
> does already provide something interesting.
> 
> For example, it can show command lines. It takes something in the log
> like:
>    uid=1000 euid=0
>    argc=4 a0="sudo" a1="cp" a2="qwerty" a3="/etc/xxx"
> 
>    uid = 0 euid=0
>    argc=4 a0="cp" a1="qwerty" a2="/etc/xxx"
> 
> and puts out:
>     uid   euid   command
>     ---   ----   -------
>    1000      0   sudo cp qwerty /etc/xxx
>       0      0   cp qwerty /etc/xxx
> 
> which is interesting.
> 
> My question is whether I could have done something like this with
> aureport.

You can't today. I think this is an omission in the current design. I will try 
to fix aureport to output this.

-Steve