Re: auditd not triggering ANOM_ROOT_TRANS record
On Oct 25, 2016 05:12, "teroz" <terence.namusonge(a)gmail.com> wrote:
I would imagine that if it's hijacking an already root or
setuid binary,
you won't see anything. As far as that record goes, I have no idea, I'll
let an auditing expert answer that question.
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
I used one of the dirtycow root exploits on Fedora24 configured
with
30-pci-dss-v31.rules. I was expecting an ANOM_ROOT_TRANS record but
didn't get one. What triggers an ANOM_ROOT_TRANS record? What then is the
best way to trivially audit for a successful privilege escalation?
Attachments:
- attachment.html (text/html — 977 bytes)