audit_log_user_command - Linux


audit_log_user_command is a powerful Linux command used to configure and manage user command audit logging within the Linux Audit Framework. It allows administrators to specify which user commands should be subject to auditing and the specific details to be recorded.


audit_log_user_command [--list] [--add <command>] [--delete <command>] [--all] [--profile <profile>] 


  • --list: Lists all user command audit rules currently configured.
  • --add <command>: Adds a new user command audit rule for the specified command.
  • --delete <command>: Deletes the user command audit rule for the specified command.
  • --all: Adds or removes audit rules for all user commands.
  • --profile <profile>: Uses the specified SELinux profile to determine which commands should be audited.


List User Command Audit Rules

audit_log_user_command --list

Add User Command Audit Rule

audit_log_user_command --add ls -a -l

Delete User Command Audit Rule

audit_log_user_command --delete ls

Add Rules for All Commands Using a Profile

audit_log_user_command --all --profile base

Common Issues

  • Error: Command not found: Ensure that the specified command exists on the system.
  • Permission denied: Verify that the user running the command has sufficient permissions to configure audit settings.


audit_log_user_command can be integrated with other commands and tools for advanced audit tasks:

  • Use with auditctl to view and modify audit settings.
  • Combine with auditd to start, stop, and manage the audit daemon.
  • Integrate into scripts or command chains to automate audit configuration management.

Related Commands

  • auditctl: Manage audit controls and settings.
  • auditd: Audit daemon responsible for enforcing audit policies.