Many thanks for your answer. I will try your suggestion but what if a user makes a copy of the su executable to let's say under /tmp and execute /tmp/su . Will this be audited using the rule you suggest?
Best regards
Maria
Sent from my Samsung device
-------- Original message -------- From: Steve Grubb <sgrubb@redhat.com> Date: 23/04/2017 11:48 (GMT+02:00) To: Maria Tsiolakki <tmaria@cs.ucy.ac.cy> Cc: linux-audit@redhat.com Subject: Re: audit su - access
Hello,
On Fri, 21 Apr 2017 16:00:54 +0300 Maria Tsiolakki <tmaria@cs.ucy.ac.cy> wrote: > We have setup the audit log on a Redhat linux 7.3 machine > We have setup various rules, so far successfully. Our last > requirement is to have audit log, when a user execute the su - or su > - root, or sudo su I write the following rule , but it does not work > -a always,exit -S su
This ^^^ is the problem. The -S switch is for system calls. To see a list of system calls you can run "ausyscall --dump". Su is a program and not a syscall. So, you would place a watch on it like this: