Hello (again)
I am doing the following Linux command testing who has access to crontab.
For a non privileged user, I do the following under the user name "unauth":
mysearchhead> crontab -l
and receive the following:
You (unauth) are not allowed to use this program (crontab)
See crontab(1) for more information
In Splunk, I can see the attempt using:
host="mysearchhead" sourcetype=linux_audit a0=crontab type=EXECVE
Resulting event is:
6/17/16 2:33:54.039 PM
type=EXECVE msg=audit(1466174034.039:787184230): argc=2 a0="crontab" a1="-l"
host = mysearchhead source = /var/log/audit/audit.log sourcetype = linux_audit
My question is; where is the message stored that user "unauth" is not allowed to use this program?
Many thanks in advance
↧