Ah, thanks. I had only recently added -k rootcmd so I didn't notice it was
different earlier ... but I should've noticed this time. Thanks!
On Wed, Jul 13, 2016 at 9:39 AM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, July 13, 2016 9:27:25 AM EDT Chris Nandor wrote:
> As mentioned in previous e-mail, we want to log what users do as root. I
> have these two rules, only:
>
> -a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S
> execve -k rootcmd
> -a exit,always -F arch=b64 -F euid=0 -F auid>=0 -F auid!=4294967295 -S
> execve -k rootcmd
>
> But this line shows up:
>
>
node=grax.sea.marchex.com type=ANOM_ABEND
> msg=audit(1468426871.752:3282575): auid=811 uid=811 gid=811 ses=12
> pid=18504 comm="chromium-browse" reason="seccomp" sig=0
syscall=91
compat=0
> ip=0x7f296c759c77 code=0x50001
There are two kinds of events. There are the ones that are triggered by the
rules you load, and there are rules that are hardwired to be logged because
something significant happened. In this case the seccomp filter killed
chromium-browse because it violated policy. It has nothing to do with your
rules which have a rootcmd key.
To find the events triggered by your rule, use:
ausearch --start today -k rootcmd -i
-Steve
> My guess is that it is because euid is missing; maybe euid=0 is true if
> euid is null? I could put uid=0, instead of euid ... but that isn't
> exactly what I want, I think. Is there a way to have the rule require
euid
> actually be 0?
>
> --Chris