> I'm currently testing auditd with rules for setuid or setgid binaries on > the system. > > I currently maintain the list via find, and pushing the results to a > audit.rules file. > > I'm hoping there's a cleaner way, perhaps by triggering on the > appropriate syscall -- but have not discovered it. > > Is there an easier method?
The find method is what I use (though I push it to a file in rules.d and then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using find to generate these rules is actually in the text of, IIRC, at least one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as automated as the way I do it. --Ray -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
