0

I have some auditd rules like:

-a always,exit -F arch=b32 -S execve -F euid=1002 -k mytag
-a always,exit -F arch=b64 -S execve -F euid=1002 -k mytag

-a always,exit -F arch=b32 -S execve -F euid=1003 -k mytag
-a always,exit -F arch=b64 -S execve -F euid=1003 -k mytag

Which is working fine, but I want to also track the sudo commands run by these users, so I added

-a always,exit -F arch=b32 -S execve -F euid=0 -k mytag
-a always,exit -F arch=b64 -S execve -F euid=0 -k mytag

But the sudo commands do not seem to be tagged with the key. Is there anything wrong with specifying both these set of commands. Does the order of these rules matter?

Thanks.

Ani
  • 32
  • 2
  • 13
  • Do you mean that the commands were logged without the tag, or that the commands were not logged? What other audit rules do you have? – Michael Hampton Nov 12 '20 at 10:50
  • I did see the logs but they didn't have the tag. I have to mention that I have audisp also enabled. – Ani Nov 13 '20 at 12:01

0 Answers0