Audit Specific Command

Latest response

Hi all,
How can we audit specific command like RPM command within Linux?
Or create report about the specific command?

Davoud Teimouri's picture


Please refer to man auditd and audit.rules. You could add the following to the end of /etc/audit/audit.rules: "-w /bin/rpm -p x" to record each execute of /bin/rpm. Be aware to restart auditd.

type=EXECVE msg=audit(1512368725.904:471681): argc=2 a0="rpm" a1="-qa"

Concerning, you also need to audit /usr/bin/yum and please note that "rpm -qa" also will be logged.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.