pcmoore
commented
1 month ago The USER_CMD audit record is generated by an instrumented userspace program that wants to add additional information to the audit stream, it is not generated by the kernel. Closing this issue as there is nothing we can do at the kernel level.
USER_CMD is not showing all user activity commands in the logs. It is showing only the commands executed with sudo, rest all the commands executed without sudo are not showing up in the USER_CMD type
The below are my logs output for the command executed with sudo:
type=PROCTITLE msg=audit(07/15/24 10:15:09.129:2599) : proctitle=sudo mahendra.com type=EXECVE msg=audit(07/15/24 10:15:09.129:2599) : argc=2 a0=sudo a1=mahendra.com type=USER_CMD msg=audit(07/15/24 10:15:09.141:2601) : pid=3514 uid=root auid=ubuntu ses=4 subj=unconfined msg='cwd=/etc/audit/rules.d cmd=mahendra.com exe=/usr/bin/sudo terminal=pts/2 res=failed'
The below are the logs for the commands which are not executed with sudo:
type=PROCTITLE msg=audit(07/15/24 10:16:43.801:2720) : proctitle=curl mahesh.com type=EXECVE msg=audit(07/15/24 10:16:43.801:2720) : argc=2 a0=curl a1=mahesh.com
Not sure what's happening. I'm stuck at here from past week.
The below are my rules: cat /etc/audit/rules.d/audit.rules
## First rule - delete all -D
**## Increase the buffers to survive stress events. ## Make this bigger for busy systems** -b 8192
## This determine how long to wait in burst of events --backlog_wait_time 60000
## Set failure mode to syslog -f 1
-a always,exit -F arch=b64 -S execve -k user_cmd -a always,exit -F arch=b32 -S execve -k user_cmd**