Audit Specific Command

Latest response

Hi all,
How can we audit specific command like RPM command within Linux?
Or create report about the specific command?

Responses

Please refer to man auditd and audit.rules. You could add the following to the end of /etc/audit/audit.rules: "-w /bin/rpm -p x" to record each execute of /bin/rpm. Be aware to restart auditd.

type=EXECVE msg=audit(1512368725.904:471681): argc=2 a0="rpm" a1="-qa"

Concerning https://access.redhat.com/discussions/3248901, you also need to audit /usr/bin/yum and please note that "rpm -qa" also will be logged.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.