On 4/23/2017 10:22 AM, Maria Tsiolakki wrote:
Hello,Many thanks for your answer. I will try your suggestion but what if a user makes a copy of the su executable to let's say under /tmp and execute /tmp/su . Will this be audited using the rule you suggest? Best regards Maria Sent from my Samsung device -------- Original message -------- From: Steve Grubb <[email protected]> Date: 23/04/2017 11:48 (GMT+02:00) To: Maria Tsiolakki <[email protected]> Cc: [email protected] Subject: Re: audit su - access Hello, On Fri, 21 Apr 2017 16:00:54 +0300 Maria Tsiolakki <[email protected]> wrote:We have setup the audit log on a Redhat linux 7.3 machine We have setup various rules, so far successfully. Our last requirement is to have audit log, when a user execute the su - or su - root, or sudo su I write the following rule , but it does not work -a always,exit -S suThis ^^^ is the problem. The -S switch is for system calls. To see a list of system calls you can run "ausyscall --dump". Su is a program and not a syscall. So, you would place a watch on it like this: -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F auid!=4294967295 -F key=su-execution -Steve-F auid>=200 -F auid!=4294967295 -F key=su-execution How can I audit log the execution of the su command? Best regards Maria-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
smime.p7s
Description: S/MIME Cryptographic Signature
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
