On 09/04/2015 12:20 PM, Steve Grubb wrote: > On Friday, September 04, 2015 10:54:47 AM John Jasen wrote: >> I was specifically wondering if I was missing the appropriate syscall >> for the use of setuid or setgid. >> > >From a brief examination and test, this appears to not be the case? > > There are a couple ways to do this. One is using the find method. However, > that > does not take into account file system based capabilities. In the lab I > taught > this week, the rules generator also included this:
<snipped> filecap examples to add LINUX_CAP executables to audit.rules. Huh .... I did not think of that. > But, if all you want is setuid, then you can use a rule like this instead of > file watches: > > -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 Perfect! Thanks. For future generations googling for answers, I did the following: -a always,exit -F arch=x86_64 -S execve -C uid!=euid -F key=execpriv -a always,exit -F arch=x86_64 -S execve -C gid!=egid -F key=execpriv I didn't pursue the last match, -F euid=0, as there may be cases where you wish to audit setuid usage, but the binary is not setuid to root. -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
