fix auditd

This commit is contained in:
Louis Abel 2023-08-14 00:40:04 -07:00
parent 6d0a216712
commit 2acf41e6b8
Signed by: label
GPG Key ID: 3331F061D1D9990E

View File

@ -45,9 +45,9 @@
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>={{ audit_auid }} -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S ,creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>={{ audit_auid }} -F auid!=4294967295 -k access
## Monitors mounting events for users ## Monitors mounting events for users
# You can probably take these out # You can probably take these out