Comments 1 Helpful Follow Share Posted In Red Hat Enterprise Linux Audit Specific Command Latest response 2017-12-04T06:54:00+00:00 Hi all, How can we audit specific command like RPM command within Linux? Or create report about the specific command? Started 2017-12-02T10:20:01+00:00 by Davoud Teimouri Community Member 65 points Log in to join the conversation Responses Sort By Oldest Sort By Newest Expert 1050 points 4 December 2017 6:53 AM Siem Korteweg Please refer to man auditd and audit.rules. You could add the following to the end of /etc/audit/audit.rules: "-w /bin/rpm -p x" to record each execute of /bin/rpm. Be aware to restart auditd. type=EXECVE msg=audit(1512368725.904:471681): argc=2 a0="rpm" a1="-qa" Concerning https://access.redhat.com/discussions/3248901, you also need to audit /usr/bin/yum and please note that "rpm -qa" also will be logged. Was this helpful? Yes No We appreciate your feedback. Leave a comment if you would like to provide more detail. It looks like we have some work to do. Leave a comment to let us know how we could improve. Close Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.