From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: USER_CMD
Date: Thu, 14 Jul 2016 15:06:20 -0400
Message-ID: <2500772.GKlpCM7XVk@x2>
References: <CAHcE2wqRTuQcAmdTrHdmZ2V0dwKsHS2C5qA=_MwG7Wa6TmiXKw@mail.gmail.com>
	<1545844.sIvAAjI6WL@x2>
	<CAHcE2wrcXyskQOoKnt=bnhjjXn5NVCPRMB3w+icAugXBRknzEA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CAHcE2wrcXyskQOoKnt=bnhjjXn5NVCPRMB3w+icAugXBRknzEA@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Chris Nandor <pudge@pobox.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, July 14, 2016 10:44:46 AM EDT Chris Nandor wrote:
> Sorry, I guess I should have been more clear ... what sort of rule would
> make it show up?  I'm not seeing it.

Its hardwired. You don't need to add a rule. The rules that you add always 
result in SYSCALL events. You should also add a key to every rule as a 
reminder of what it means. So, any SYSCALL event that does not have a key is 
trigger by something else like a SELinux AVC.

-Steve

> On Thu, Jul 14, 2016 at 10:37 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Thursday, July 14, 2016 10:22:30 AM EDT Chris Nandor wrote:
> > > How does one get USER_CMD records into the audit.log?
> > 
> > The sudo command is the usual way.
> > 
> > -Steve
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit