On Thursday, December 22, 2011 04:19:34 PM Bryan Jacobs wrote: > I am attempting to create a rule that will audit privileged > commands for UID's greater than 500 but ignore one particular user that > falls under this rule. The user I am trying to ignore is the only user > that should be touching the file. > > Below is the rule. > > #### BEGIN RULE SNIP #### > > ## Ensure auditd Collects Information on the Use of Privileged Commands > > -a always,exit -F path=/opt/varonis1.6.0106/bin/ls -F perm=x -F > auid>=500 -F auid!=4294967295 -F auid!=505 -k privileged > > #### END RULE SNIP #### > > Is the rule syntax above correct?
This looks correct to me. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
