>> What do you need to do and what do the (even audit) logs say about who performed an activity whenever administrative activity happens?
By activity you mean who run some process? doesn't enabling audit on all execve, execveat and looking at AUID besides EUID and UID fields tell you that? Or am I missing something? you may want to configure ENHANCED format in auditd for convenience.
noinsight|1 year ago