Originally posted by: Tibor_B
Hi,
I would like to adit all instances of running ssh, but I would like to have also ppid and full command with arguments. I have sucesfully set up the audit, I am getting info about ssh (who, when) but can not get f.e. PPID.
My setup is:
/etc/security/audit/config
classes:
ssh = SSH_EXEC
users:
default = ssh
/etc/security/audit/objects
/usr/bin/ssh:
x = "SSH_EXEC"
/etc/security/audit/events
SSH_EXEC = printf "event = %s cmd = %s time = %s pid = %d ppid = %d"
But I dont get all desired info in auditpr, what I see is:
SSH_EXEC bam2025 OK Fri Sep 11 12:15:39 2015 ssh Global
event = audit object exec event detected /usr/bin/ssh cmd = time = pid = 0 ppid = 0
Can you advice, thanks
#AIX-Forum