perhaps obvious question: auditd and setuid/setgid?
rshaw1 at umbc.edu
rshaw1 at umbc.edu
Thu Sep 3 02:32:30 UTC 2015
> I'm currently testing auditd with rules for setuid or setgid binaries on
> the system.
>
> I currently maintain the list via find, and pushing the results to a
> audit.rules file.
>
> I'm hoping there's a cleaner way, perhaps by triggering on the
> appropriate syscall -- but have not discovered it.
>
> Is there an easier method?
The find method is what I use (though I push it to a file in rules.d and
then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
find to generate these rules is actually in the text of, IIRC, at least
one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
automated as the way I do it.
--Ray
More information about the Linux-audit
mailing list