Ah, thanks. I had only recently added -k rootcmd so I didn't notice it was different earlier ... but I should've noticed this time. Thanks!
On Wed, Jul 13, 2016 at 9:39 AM, Steve Grubb <[email protected]> wrote: > On Wednesday, July 13, 2016 9:27:25 AM EDT Chris Nandor wrote: > > As mentioned in previous e-mail, we want to log what users do as root. I > > have these two rules, only: > > > > -a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S > > execve -k rootcmd > > -a exit,always -F arch=b64 -F euid=0 -F auid>=0 -F auid!=4294967295 -S > > execve -k rootcmd > > > > But this line shows up: > > > > node=grax.sea.marchex.com type=ANOM_ABEND > > msg=audit(1468426871.752:3282575): auid=811 uid=811 gid=811 ses=12 > > pid=18504 comm="chromium-browse" reason="seccomp" sig=0 syscall=91 > compat=0 > > ip=0x7f296c759c77 code=0x50001 > > There are two kinds of events. There are the ones that are triggered by the > rules you load, and there are rules that are hardwired to be logged because > something significant happened. In this case the seccomp filter killed > chromium-browse because it violated policy. It has nothing to do with your > rules which have a rootcmd key. > > To find the events triggered by your rule, use: > ausearch --start today -k rootcmd -i > > -Steve > > > My guess is that it is because euid is missing; maybe euid=0 is true if > > euid is null? I could put uid=0, instead of euid ... but that isn't > > exactly what I want, I think. Is there a way to have the rule require > euid > > actually be 0? > > > > --Chris > > >
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
