Auditd - Some invalid rules due to duplicates, some due to syntax
joshua-jandyco opened this issue · 0 comments
joshua-jandyco commented
Auditd lremovexattr has duplicate rules because there are two 32 bit rules instead of one 32 and one 64
Record events that modify the system's discretionary access controls
lremovexattr
Here there are two b32 arch rules instead of one for 32 and one for 64
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
Typo in ftruncate rule
Record unauthorized access attempts to files
ftruncate
Third rule down says 'exiu' instead of 'exit'
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access