On 2020-12-05 00:45, Smith, Gary R wrote:
> Good afternoon,
>
> I have RHEL 7 systems set up to emit audit records when the firewall rules
> with iptables change. I do it with a single audit command:
>
> -a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
>
> And it works
Good afternoon,
I have RHEL 7 systems set up to emit audit records when the firewall rules with
iptables change. I do it with a single audit command:
-a always,exit -F arch=b64 -S setsockopt -F a2=0x40 -F key=IPTablesChange
And it works great. I get audit logs like this:
type=PROCTITLE msg=aud
