AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only

audit customization (f.e. getting PPID and full command)

  • 1.  audit customization (f.e. getting PPID and full command)

    Posted Fri September 11, 2015 07:16 AM

    Originally posted by: Tibor_B


    Hi,

     

    I would like to adit all instances of running ssh, but I would like to have also ppid and full command with arguments. I have sucesfully set up the audit, I am getting info about ssh (who, when) but can not get f.e. PPID.

     

    My setup is:

     

     

    /etc/security/audit/config

    classes:

    ssh = SSH_EXEC

     

    users:

    default = ssh

     

    /etc/security/audit/objects

    /usr/bin/ssh:

    x = "SSH_EXEC"

     

    /etc/security/audit/events

    SSH_EXEC = printf "event = %s cmd = %s time = %s pid = %d ppid = %d"

     

     

    But I dont get all desired info in auditpr, what I see is:

     

    SSH_EXEC bam2025 OK Fri Sep 11 12:15:39 2015 ssh Global

    event = audit object exec event detected /usr/bin/ssh cmd = time = pid = 0 ppid = 0

     

    Can you advice, thanks

     

     


    #AIX-Forum