I was trying to see what was enabling ipv4 forwarding in file /proc/sys/net/ipv4/ip_forward (I've discovered that this was docker, but I'd still like to understand my auditd issue) So I decided to make an audit rule:

-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward

The issue is that the rule only loads if I manually issue:

augenrules --load

A simple

restart auditd

will clear this rule. Meaning that during boot, this will get wiped. My /etc/audit/rules.d/audit.rules file contents (only rule file in dir):

-D

-b 8192

--backlog_wait_time 60000

-f 1

-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab

Example of restarting auditd:

$ sudo systemctl restart auditd
$ sudo auditctl -l
-w /etc/fstab -p rwa -k fstab #<- Only this rule loads

Example of running augenrules:

$ sudo augenrules --load
/usr/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0

$ sudo auditctl -l
-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab

$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-12-11 16:42:29 EST; 6min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation 
    Process: 3114 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 3119 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 3116 (auditd)
      Tasks: 2 (limit: 9346)
     Memory: 548.0K
        CPU: 125ms
     CGroup: /system.slice/auditd.service
             └─3116 /sbin/auditd

Dec 11 16:42:29 ubuntu augenrules: enabled 1
Dec 11 16:42:29 ubuntu augenrules: failure 1
Dec 11 16:42:29 ubuntu augenrules: pid 3116
Dec 11 16:42:29 ubuntu augenrules: rate_limit 0
Dec 11 16:42:29 ubuntu augenrules: backlog_limit 8192
Dec 11 16:42:29 ubuntu augenrules: lost 0
Dec 11 16:42:29 ubuntu augenrules: backlog 0
Dec 11 16:42:29 ubuntu augenrules: backlog_wait_time 60000
Dec 11 16:42:29 ubuntu augenrules: backlog_wait_time_actual 0
Dec 11 16:42:29 ubuntu systemd: Started Security Auditing Service.

Running Ubuntu 22.04 with auditd version 1:3.0.7-1build1 Any ideas? Thanks!

I was just having fun with installing Wayland and customizing it to my liking and when I finally restarted it before I go to bed, it was stuck on the logo. So, I enabled logging for grubs and it's stuck at [ 16.676220] audit: type=1131 audit(1668615179.786:53): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=systemd-rfkill comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 36.647193] audit: type=1334 audit(1668615199.753:57): prog-id=0 op=UNLOAD Those are the two sample lines of the last outputs, there were like at least 3 of each with different log numbers. The two dupes of the first one have unit=NetworkManager-dispatcher and unit=systemd-hostnamed' I don't know how to troubleshoot this when googling those gives 0 results. What could be the possible solution? I'm on Arch using Wayland, Hyprland with Nvidia GT 1030

My dmesg log is littered with the following kind of lines:

[  +0.000009] audit: type=1400 audit(1745688898.020:223710): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/local/share/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000004] audit: type=1400 audit(1745688898.020:223711): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/share/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000016] audit: type=1400 audit(1745688898.020:223712): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/usr/share/nemo/icons/hicolor/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[  +0.000004] audit: type=1400 audit(1745688898.020:223713): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.local/share/icons/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[  +0.000003] audit: type=1400 audit(1745688898.020:223714): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.icons/" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[  +8.605953] kauditd_printk_skb: 40 callbacks suppressed
[  +0.000002] audit: type=1400 audit(1745688906.628:223755): apparmor="ALLOWED" operation="getattr" class="file" profile="someapp//null-/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop//null-/usr/bin/nemo" name="/home/joeuser/.local/share/mime/mime.cache" pid=24956 comm="nemo" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1

Am I correct in assuming that this is nothing to worry about? And if that's the case - how do I suppress these gratuitous messages?

I have a folder on my RHEL 9 server that gets deleted every few days, but I don’t know which process or user is responsible. I’d like to log all events related to this folder, particularly deletions. I came across a tool called auditd, which seems like it could help, but I'm not sure how to configure it to monitor this specific folder. Is auditd the best option for this task, or is there a better tool or script I could use to track and log deletions? Is this enough? auditctl -w /path/to/myfolder -p rwa -k rule_watch_folder

It seems command hashing is disabled by default in our tcsh environment, and I'm not permitted to get it enabled across the board. Instead I'm looking to enable command hashing within individual scripts, all of which contain while loops, so I'd expect the first iteration to loop through all the paths defined in $PATH and subsequent iterations to hit the exact path from the internal hash table. The purpose is to reduce the number of failed execve calls captured by the audit service. First question, is there a command similar to hash in tcsh to output the internal hash table? Hashstat doesn't appear to work, it doesn't output anything on the prompt, perhaps because hashing is disabled? When I did get it to print something, it printed only the number and size of hash buckets, not any specific commands. Main question, I've tried adding rehash to the beginning of the script, which has helped reduce the number of execve calls per command from ~5 to ~2 (even on the first iteration). For some reason, it still always tries to run commands from /sbin first. Any suggestions on what to check to see why after running rehash it still tries to execute a command from an invalid path, or is there an alternative way to enable command hashing from within a script? Side question, bash on the other hand still manages to hit the correct path even with the hash table disabled. Any idea how it does this without command hashing? Lastly, strace hasn't captured the failed execve calls captured by audit. I've tried simple strace sleep, and strace -f -e trace=execve sleep, both essentially just showing the correct entry, but not the failed ones: execve("/bin/sleep", ["sleep"], 0x7ffe0d773ff8 /* 32 vars */) = 0

I know I can view the open files of a process using lsof *at that moment in time* on my Linux machine. However, a process can open, alter and close a file so quickly that I won't be able to see it when monitoring it using standard shell scripting (e.g. watch) as explained in ["monitor open process files on linux (real-time)"](https://serverfault.com/questions/219323/monitor-open-process-files-on-linux-real-time) . So, I think I'm looking for a simple way of auditing a process and see what it has done over the time passed. It would be great if it's also possible to see what network connections it (tried to) make and to have the audit start before the process got time to run without the audit being started. Ideally, I would like to do this: sh $ audit-lsof /path/to/executable 4530.848254 OPEN read /etc/myconfig 4530.848260 OPEN write /var/log/mylog.log 4540.345986 OPEN read /home/gert/.ssh/id_rsa 1.2.3.4:80 | [...] 4541.023485 CLOSE /home/gert/.ssh/id_rsa 1.2.3.4:80 | this when polling Would this be possible using strace and some flags to not see every system call?

I know that I can redirect the xtrace output to some_file with something like this: exec 2>> some_file set +x ...but this sends to some_file not only the xtrace output, but also any other content originally sent to fd 2, which includes most error messages and warnings, all unrelated to xtrace. Is there a way to capture *only* the xtrace output in some_file? I should add that I'm looking for a way to do this that would distort as little as possible the xtrace output itself, and the timing information gathered through a PS4 setting like, e.g. zmodload zsh/datetime export PS4='${(j::)epochtime} %N:%i> '

I have enabled auditing on hpux 10.20 vim /etc/rc.config.d/auditing AUDITING=1 PRI_AUDFILE=/.secure/etc/audfile1 PRI_SWITCH=1000 SEC_AUDFILE=/.secure/etc/audfile2 SEC_SWITCH=1000 AUDEVENT_ARGS1="-P -F -e moddac -e login -e admin" AUDEVENT_ARGS2="" AUDEVENT_ARGS3="" AUDOMON_ARGS="-p 20 -t 1 -w 90" start auditing audsys -c /.secure/etc/audfile1 -x /.secure/etc/audfile2 -s 1000 -z 1000 i reboot and.. audisp -u root users and aids: root 0 All events are selected. All ttys are selected. Selecting successful & failed events. TIME PID E EVENT PPID AID RUID RGID EUID EGID TTY as you can see no events are reported, why?

I am trying to find how to log a specific instantiation of rrdtool to see whether the path it is receiving is incorrect. I know I could wrap the executable in a shell script that would log the parameters, but I was wondering if there was a more kernel-specific way to monitor for that, perhaps a filesystem callback that sees when a particular /proc/pid/exe matches a given binary?

I have two RHEL 9.4 systems and I want to configure auditing on *both* systems. The one RHEL system will be used for a basic linux system for testing, and the other will be used for a Syslog server for collection before forwarding to a remote location for storage. * Both systems should audit the same parameters. * The test RHEL box should forward the audit logs collected over TLS to the remote Syslog server (typically done over port 6514, I believe) and the Syslog server should send it's logs over loopback over port 6514 where a process will be placed to ingest those logs over that port and forward to a remote location. The process to collect those logs isn't what is needed. The set up and configuration of what was listed above on both sides to include setting up TLS with a self-signed certificate is what is needed. Can anyone assist in this?

I want to be able to instrument and analyze at a prebuilt server and get a list of every file read. I would also like to determine which of those files were read by the kernel to execute a program, load a library or just read by an application. I thought it would be simple. SELinux by default deny, and in permissive mode, it logs everything. So, install it with no rules and run it in permissive mode and everything should be logged. Note this question is related to [this one on Security SE](https://security.stackexchange.com/q/239436/281475) as I am experiencing something similar to that poster. Then there is the issue that running under SELinux or any of the other auditing packages would introduce substantial load and possibly change the behavior of the system under observation.

I'm torrenting with Transmission GTK. My dmesg log is being flooded by audit, and without knowing what good it is for, I do not even care much, I cannot use dmesg for other purposes. It floods so fast I am even unable to make text selection... Therefore let me excuse for this image: I am on Linux Mint 22 Cinnamon, so this question does not really answer my need.

**EDIT** This may be the result of an [issue with the Arch package](https://gitlab.archlinux.org/archlinux/packaging/packages/audit/-/issues/2) . --- I am learning to use the linux audit system. Right now I have several rulesets in the /etc/audit/rules.d directory. When I run

augenrules
auditctl -R /etc/audit/audit.rules

I get the message:

There was an error in line 5 of /etc/audit/audit.rules

However I do not know how to determine what that error is. Is it even possible for auditctl to report why it thinks there is an error?

I see these 4 exit, always, exclude, and never commonly used in many different combinations like below: -a exit,always -a exit,never -a exclude,always -a exclude,never I'm trying to understand what each one means and how the positioning of them work. I've read the manual but still am at odds on the technical side. Does it matter the placement of the words at all?

I am running auditd on a Debian 11 server with a very generic set of audit rules. The audit log is filled with entries like below. I'm not sure what they are - can anyone help identify these? I'm assuming it has something to do with root executing something since the ouid and ogit are 0. Is this correct? type=Path msg=audit(1712839234.13338212): item=2 name="/lib/ld-linux-x86-64.so.2" inode=1573503 dev=fe:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fe=0 fver=0 frootid=0

I've noticed that tcsh, regardless of whether "-f" flag is passed on the shebang line, will iterate through $PATH, and try to execute the command from that path until the command is found. Whereas bash first checks whether the command is present in that location. This tcsh behaviour leads to a lot of failed entries in the audit logs as our audit has been configured to capture execve system calls. For instance when sleep is called from within a tcsh script, one of the failed audit entries shows it tried to run sleep with absolute path: "/usr/local/bin/sleep". type=SYSCALL msg=audit(1710330471.326:37838): arch=c000003e syscall=59 success=no exit=-2 a0=2601590 a1=261e010 a2=261d110 a3=7ffdc4a409e0 items=1 ppid=8930 pid=8938 auid=1011478343 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=863 comm="csh_test.sh" exe="/usr/bin/tcsh" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="non_sys_execs" type=CWD msg=audit(1710330471.326:37838): cwd="/tmp" type=PATH msg=audit(1710330471.326:37838): item=0 name="/usr/local/bin/sleep" objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1710330471.326:37838): proctitle=2F62696E2F637368002E2F6373685F746573742E7368 Strace shows bash stats first, before attempting an access:

stat("/usr/local/bin/sleep", 0x7ffdd8de5630) = -1 ENOENT (No such file or directory)
stat("/usr/local/sbin/sleep", 0x7ffdd8de5630) = -1 ENOENT (No such file or directory)
stat("/sbin/sleep", 0x7ffdd8de5630)     = -1 ENOENT (No such file or directory)
stat("/bin/sleep", {st_mode=S_IFREG|0755, st_size=33128, ...}) = 0

The order in which it traverses the paths matches the order the paths are defined in $PATH. Unfortunately changing the order around on all our servers will not be possible, also it's unclear what the implications would be of putting /bin/ ahead of /usr/local/bin etc. Whilst, I doubt it, but just in case, is there perhaps some runtime or install configuration to force tcsh to stat first just like bash does? Is there anything else that could be done at all to avoid these failures (apart from amending scripts to use the full path or filtering out these execve calls from audit capture)?

OS is Debian. I have set up auditd to try and determine what is rebooting a system. I have the following rule: -a exit,always -F arch=b64 -S execve -F path=/bin/systemctl -k debug_test Creating a rule for /usr/sbin/reboot doesn't work, since it's a symlink to /bin/systemctl, but this rule works perfectly, it captures every time a reboot command is executed. I can then search for these reboots with command: ausearch -k debug_test | grep reboot. (Note the rule key doesn't contain the string "reboot", since that is what I need to grep for) However, this just prints the ppid of the process responsible, I am looking for the process name of the ppid. Is it possible to configure auditd to log this? Or would I have to write some kind of daemon that logs all pids + process names every 15 seconds or so?

I have a situation where a clean install of RHEL 8.8 and having auditd running with a given /etc/audit/rules.d/audit.rules file produces a /var/log/audit/audit.log that is greater than 4GB. This is with me having the only user account on the system, me being the only person logged in, and doing a cp -rp /data/* /backup/. FWIW I am logged in on the backup server (server-B) with /data NFS mounted (from server-A) on it when I am doing the cp -rp. The /data folder has greater than 50TB of data. The file system is XFS_4.0 from RHEL 7.9 on /data and XFS_5.0 from RHEL 8.8 on /backup; both server A & B are running RHEL 8.8. Is there a linux [audit] tool that can parse out the most common entries in audit.log ? And, based on description above if a reason and solution could be provided that would be cool too. # /etc/audit/rules.d/audit.rules ## First rule - delete all -D -e 2 ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 --loginuid-immutable ## Set failure mode to syslog -f 1 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/group -p wa -k identity -w /etc/sudoers -p wa -k identity -w /etc/sudoers.d/ -p wa -k identity -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid=0 -k perm_mod -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-chage -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-passwd -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=unset -k privileged-mount -a always,exit -F path=/usr/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-unix-update -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged-ssh -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check -a always,exit -F arch=b32 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S init_module,finit_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b32 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F arch=b64 -S rename,unlink,rmdir,renameat,unlinkat -F auid>=1000 -F auid!=unset -k delete -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged-gpasswd -a always,exit -F arch=b32 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F arch=b64 -S delete_module -F auid>=1000 -F auid!=unset -k module_chng -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b64 -S truncate,ftruncate,creat,open,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=unset -k perm_access -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged-usermod -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=unset -k perm_mod -a always,exit -F path=/usr/bin/kmod -F perm=x -F auid>=1000 -F auid!=unset -k modules -w /var/log/lastlog -p wa -k logins -w /var/log/faillock -p wa -k logins

I have a user with a misspelled username on my CentOS 8 system which I thought I had corrected but I have noticed the username is showing up in the audit log incorrectly. The correct username is: - Example.User The incorrect username is: - Exampel.User My AUID value is showing the incorrect username. Any pointers on how to correct this would be appreciated. Cheers

In shared environment where multiple users have sudo account, I want to find out underlying user id (not a sudo account) details who has invoked particular script. Thanks. I tried below but it does not fulfill my requirement : echo $USERNAME gives me sudo account details but I am looking for login id