My Special Security Team, not being UNIX/Linux savvy asked me if I could put 
into place audit rules that monitor "Root-Level" commands.

I don't know of any specific identifier for such a term, and the closest thing 
I could come up with was monitoring those files that fall under /usr/sbin/ and 
/sbin/; does anyone else have any thoughts about how to approach this task?

I figured I would use a rule such as:
-w /sbin/   -p rawx  -k watch_root_commands                (I used rawx, to 
account for replacement by a hacker)


Thank you in advance,

Warron French, MBA, SCSA
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to