I'm currently testing auditd with rules for setuid or setgid
binaries on
the system.
I currently maintain the list via find, and pushing the results to a
audit.rules file.
I'm hoping there's a cleaner way, perhaps by triggering on the
appropriate syscall -- but have not discovered it.
Is there an easier method?
The find method is what I use (though I push it to a file in rules.d and
then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
find to generate these rules is actually in the text of, IIRC, at least
one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
automated as the way I do it.
--Ray