auditd not triggering ANOM_ROOT_TRANS record
I used one of the dirtycow root exploits on Fedora24 configured
with 30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
Attachments:
- audit.log.excerpt (application/octet-stream — 2.3 KB)
- attachment.html (text/html — 367 bytes)