Perfect, thanks so much Steve. Joshua Ammons Senior SIEM Engineer, Cybersecurity Global Business Services Office 479.204.4472 | Mobile 479.595.2291 [email protected]
Walmart 805 Moberly Ln Bentonville, AR 72716 Save money. Live better. -----Original Message----- From: Steve Grubb [mailto:[email protected]] Sent: Monday, June 11, 2018 9:28 AM To: [email protected] Cc: Joshua Ammons <[email protected]> Subject: EXT: Re: auditd rule error On Monday, June 11, 2018 8:39:26 AM EDT Joshua Ammons wrote: > On a server running RHEL 7.2 the audit rules fail to load due to an > error on this rule: > > -a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F > key=10.2.5.b-elevated-privs-session > > From what I have found it seems "exe" may not be a valid field on this > specific O.S. - is this correct? That might have been targeted for the 7.4 kernel. > Does anyone have any recommendations on how to track elevated > privileges for all RHEL 6/7 systems? The exe field is used for what we call audit by executable. This is for when you want to zero in on a particular program performing some action like calling accept. If you simply want notification that an application was invoked, the you would just setup a watch for execute. -a always,exit -F path=/usr/bin/su -F perm=x -F key=10.2.5.b-elevated-privs- session That should work across RHEL 6 & 7. Also, you will get events from pam as the user authenticates and starts the session. So, you should be able to find those with this search: ausearch --start today -x /usr/bin/su -m USER_START -w -i -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
