There are two control types pertaining to the Linux Auditing System. These rules are only for adding / changing audit rules which typically live in /etc/audit/rules.d/audit.rules .
rule:file system
Designator for <Type> field specifically for creating audit rules for file modification and execution of userland binaries. {SETUID_PROG_PATH} to be used solely for locating binaries that may be in non-standard locations in userland /bin , /usr/bin , /usr/centrify/bin
<Group>
<GroupId>V-230412</GroupId>
<GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
<RuleId>SV-230412r627750_rule</RuleId>
<Severity>CAT II</Severity>
<RuleVersion>RHEL-08-030190</RuleVersion>
<RuleTitle>Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.</RuleTitle>
<Where>Auditing System</Where>
<Applied>[{SETUID_PROG_PATH} = find /usr/bin -xdev -type f -name su]</Applied>
<Type>rule:File system[-a always,exit -F path={SETUID_PROG_PATH} -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change]</Type>
<Value>TRUE</Value>
<Ignore>case, space</Ignore>
<IgnoreReason></IgnoreReason>
</Group>
rule:system call
Designator for <Type> field for system library or binary calls which require arch elements. This typically would include binaries installed via package subsystems (apt/deb or yum/rpm.)
<Group>
<GroupId>V-230413 Part 1 of 4</GroupId>
<GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
<RuleId>SV-230413r810463_rule</RuleId>
<Severity>CAT II</Severity>
<RuleVersion>RHEL-08-030200</RuleVersion>
<RuleTitle>The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.</RuleTitle>
<Where>Auditing System</Where>
<Applied>"xattr"</Applied>
<Type>rule:system call</Type>
<Value>-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod</Value>
<Ignore>case,space</Ignore>
<IgnoreReason></IgnoreReason>
</Group>
