How to log execution of a specific binary/script using auditd or other
No matter how you do this in auditd you will have to use some parser to get the information you want (unless one of ausearch's options will help).
To start with, to monitor just specific commands, and lets say the commands are /usr/bin/who (a binary) and /usr/bin/whatis (a shell script), then use the rules
-w /usr/bin/who -p x -k my_execs
-w /usr/bin/whatis -p x -k my_execs
After setting these rules, restart the auditd service, then execute
who -a
whatis who
then as root
ausearch -i -k my_execs
to get
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847290) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=CONFIG_CHANGE msg=audit(11/18/2015 08:38:22.724:847291) : auid=burn ses=145 subj=unconfined_u:system_r:auditctl_t:s0 op="add rule" key=my_execs list=exit res=yes
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=1 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:25.381:847344) : item=0 name=/usr/bin/who inode=2102799 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:25.381:847344) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:25.381:847344) : argc=2 a0=who a1=-a
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:25.381:847344) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x11728e0 a1=0x1172d90 a2=0x10e8020 a3=0x18 items=2 ppid=1810 pid=22443 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=who exe=/usr/bin/who subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
----
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=2 name=(null) inode=524297 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=1 name=(null) inode=786482 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
node=mynode.mydomain type=PATH msg=audit(11/18/2015 08:38:31.052:847381) : item=0 name=/usr/bin/whatis inode=2112811 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL
node=mynode.mydomain type=CWD msg=audit(11/18/2015 08:38:31.052:847381) : cwd=/tmp
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=2 a0=/bin/sh a1=/usr/bin/whatis
node=mynode.mydomain type=EXECVE msg=audit(11/18/2015 08:38:31.052:847381) : argc=3 a0=/bin/sh a1=/usr/bin/whatis a2=who
node=mynode.mydomain type=SYSCALL msg=audit(11/18/2015 08:38:31.052:847381) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x1172d90 a1=0x1172500 a2=0x10e8020 a3=0x18 items=3 ppid=1810 pid=22504 auid=burn uid=burn gid=burn euid=burn suid=burn fsuid=burn egid=burn sgid=burn fsgid=burn tty=pts0 ses=145 comm=whatis exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=my_execs
You can see that ausearch has extracted the events you want (using your key). The SYSCALL elements give you the who, where and other elements, the EXECVE elements give you the arguments, the CWD the location and the PATH's details about files involved. For reference on this system the inodes above map to
524297 /lib64/ld-2.12.so
2102799 /usr/bin/who
786482 /bin/bash
2112811 /usr/bin/whatis
You can check out https://people.redhat.com/sgrubb/audit for more information