Audit Specific Command

Latest response

Hi all,
How can we audit specific command like RPM command within Linux?
Or create report about the specific command?


Please refer to man auditd and audit.rules. You could add the following to the end of /etc/audit/audit.rules: "-w /bin/rpm -p x" to record each execute of /bin/rpm. Be aware to restart auditd.

type=EXECVE msg=audit(1512368725.904:471681): argc=2 a0="rpm" a1="-qa"

Concerning, you also need to audit /usr/bin/yum and please note that "rpm -qa" also will be logged.


Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.