Skip to content

Auditd - Some invalid rules due to duplicates, some due to syntax #18

New issue
New issue
Open
Open
Auditd - Some invalid rules due to duplicates, some due to syntax#18
@CircuitCipher

Description

@CircuitCipher
CircuitCipher
opened on Aug 18, 2023

Auditd lremovexattr has duplicate rules because there are two 32 bit rules instead of one 32 and one 64

Record events that modify the system's discretionary access controls

lremovexattr

Here there are two b32 arch rules instead of one for 32 and one for 64

-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod

Typo in ftruncate rule

Record unauthorized access attempts to files

ftruncate

Third rule down says 'exiu' instead of 'exit'

-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exiu=-EACCES -F auid>=1000 -F auid!=unset -F key=access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions