Atlassian uses cookies to improve your browsing experience, perform analytics and research, and conduct advertising. Accept all cookies to indicate that you agree to our use of cookies on your device. Atlassian cookies and tracking notice, (opens new window)
There are two control types pertaining to the Linux Auditing System. These rules are only for adding / changing audit rules which typically live in /etc/audit/rules.d/audit.rules .
rule:file system
Designator for <Type> field specifically for creating audit rules for file modification and execution of userland binaries. {SETUID_PROG_PATH} to be used solely for locating binaries that may be in non-standard locations in userland /bin , /usr/bin , /usr/centrify/bin
<Group>
<GroupId>V-230412</GroupId>
<GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
<RuleId>SV-230412r627750_rule</RuleId>
<Severity>CAT II</Severity>
<RuleVersion>RHEL-08-030190</RuleVersion>
<RuleTitle>Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record.</RuleTitle>
<Where>Auditing System</Where>
<Applied>[{SETUID_PROG_PATH} = find /usr/bin -xdev -type f -name su]</Applied>
<Type>rule:File system[-a always,exit -F path={SETUID_PROG_PATH} -F perm=x -F auid>=1000 -F auid!=unset -k privileged-priv_change]</Type>
<Value>TRUE</Value>
<Ignore>case, space</Ignore>
<IgnoreReason></IgnoreReason>
</Group>
rule:system call
Designator for <Type> field for system library or binary calls which require arch elements. This typically would include binaries installed via package subsystems (apt/deb or yum/rpm.)
<Group>
<GroupId>V-230413 Part 1 of 4</GroupId>
<GroupTitle>SRG-OS-000062-GPOS-00031</GroupTitle>
<RuleId>SV-230413r810463_rule</RuleId>
<Severity>CAT II</Severity>
<RuleVersion>RHEL-08-030200</RuleVersion>
<RuleTitle>The RHEL 8 audit system must be configured to audit any usage of the setxattr, fsetxattr, lsetxattr, removexattr, fremovexattr, and lremovexattr system calls.</RuleTitle>
<Where>Auditing System</Where>
<Applied>"xattr"</Applied>
<Type>rule:system call</Type>
<Value>-a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=unset -k perm_mod</Value>
<Ignore>case,space</Ignore>
<IgnoreReason></IgnoreReason>
</Group>
