On 09/04/2015 12:20 PM, Steve Grubb wrote:
On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
>
>From a brief examination and test, this appears to not be the case?
There are a couple ways to do this. One is using the find method. However, that
does not take into account file system based capabilities. In the lab I taught
this week, the rules generator also included this:
<snipped> filecap examples to add LINUX_CAP executables to audit.rules.
Huh .... I did not think of that.
But, if all you want is setuid, then you can use a rule like this
instead of
file watches:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
Perfect! Thanks.
For future generations googling for answers, I did the following:
-a always,exit -F arch=x86_64 -S execve -C uid!=euid -F key=execpriv
-a always,exit -F arch=x86_64 -S execve -C gid!=egid -F key=execpriv
I didn't pursue the last match, -F euid=0, as there may be cases where
you wish to audit setuid usage, but the binary is not setuid to root.