auditd rule error
Steve Grubb
sgrubb at redhat.com
Mon Jun 11 14:27:32 UTC 2018
On Monday, June 11, 2018 8:39:26 AM EDT Joshua Ammons wrote:
> On a server running RHEL 7.2 the audit rules fail to load due to an error
> on this rule:
>
> -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
> key=10.2.5.b-elevated-privs-session
>
> From what I have found it seems "exe" may not be a valid field on this
> specific O.S. - is this correct?
That might have been targeted for the 7.4 kernel.
> Does anyone have any recommendations on how to track elevated privileges
> for all RHEL 6/7 systems?
The exe field is used for what we call audit by executable. This is for when
you want to zero in on a particular program performing some action like
calling accept. If you simply want notification that an application was
invoked, the you would just setup a watch for execute.
-a always,exit -F path=/usr/bin/su -F perm=x -F key=10.2.5.b-elevated-privs-
session
That should work across RHEL 6 & 7. Also, you will get events from pam as the
user authenticates and starts the session. So, you should be able to find
those with this search:
ausearch --start today -x /usr/bin/su -m USER_START -w -i
-Steve
More information about the Linux-audit
mailing list