ꦫꦣꦺꦤ꧀ꦄꦤ꧀ꦠꦱꦺꦤ

PATH: usr / share / audit / sample-rules

##- Use of privileged commands (unsuccessful and successful)
## You can run the following commands to generate the rules (don't forget to
## add arch=b32 rules, too):
#find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F arch=b64 -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F arch=b64 -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules

[-] 30-ospp-v42-3-access-failed.rules [edit]
[-] 22-ignore-chrony.rules [edit]
[-] 30-ospp-v42-6-owner-change-failed.rules [edit]
[-] 30-ospp-v42-2-modify-failed.rules [edit]
[-] 43-module-load.rules [edit]
[-] 30-ospp-v42-5-perm-change-failed.rules [edit]
[-] 30-ospp-v42-1-create-failed.rules [edit]
[-] 32-power-abuse.rules [edit]
[-] 12-cont-fail.rules [edit]
[-] 30-pci-dss-v31.rules [edit]
[-] 41-containers.rules [edit]
[-] 70-einval.rules [edit]
[-] 20-dont-audit.rules [edit]
[-] 30-stig.rules [edit]
[-] 30-ospp-v42-3-access-success.rules [edit]
[-] 44-installers.rules [edit]
[-] 23-ignore-filesystems.rules [edit]
[-] 30-ospp-v42-1-create-success.rules [edit]
[-] 71-networking.rules [edit]
[-] 12-ignore-error.rules [edit]
[-] 99-finalize.rules [edit]
[-] 30-ospp-v42-5-perm-change-success.rules [edit]
[-] 30-ospp-v42-6-owner-change-success.rules [edit]
[-] 30-ospp-v42-4-delete-success.rules [edit]
[+] ..
[-] 30-ospp-v42-4-delete-failed.rules [edit]
[-] 40-local.rules [edit]
[-] README-rules [edit]
[-] 30-ospp-v42.rules [edit]
[-] 30-ospp-v42-2-modify-success.rules [edit]
[-] 30-nispom.rules [edit]
[-] 10-no-audit.rules [edit]
[-] 31-privileged.rules [edit]
[-] 42-injection.rules [edit]
[-] 10-base-config.rules [edit]
[-] 21-no32bit.rules [edit]
[-] 11-loginuid.rules [edit]