you can set noexec as a mount option for /tmp in /etc/fstab, but also
realize that if a non-privileged user copies the su executable, it will
have permissions and ownership appropriate for that user only.
On 4/23/2017 10:22 AM, Maria Tsiolakki wrote:
Hello,
Many thanks for your answer. I will try your suggestion but what if a
user makes a copy of the su executable to let's say under /tmp and
execute /tmp/su . Will this be audited using the rule you suggest?
Best regards
Maria
Sent from my Samsung device
-------- Original message --------
From: Steve Grubb <sgrubb(a)redhat.com>
Date: 23/04/2017 11:48 (GMT+02:00)
To: Maria Tsiolakki <tmaria(a)cs.ucy.ac.cy>
Cc: linux-audit(a)redhat.com
Subject: Re: audit su - access
Hello,
On Fri, 21 Apr 2017 16:00:54 +0300
Maria Tsiolakki <tmaria(a)cs.ucy.ac.cy> wrote:
> We have setup the audit log on a Redhat linux 7.3 machine
> We have setup various rules, so far successfully. Our last
> requirement is to have audit log, when a user execute the su - or su
> - root, or sudo su I write the following rule , but it does not work
> -a always,exit -S su
This ^^^ is the problem. The -S switch is for system calls. To see a
list of system calls you can run "ausyscall --dump". Su is a
program and not a syscall. So, you would place a watch on it like this:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F
auid!=4294967295 -F key=su-execution
-Steve
> -F auid>=200 -F auid!=4294967295 -F
> key=su-execution How can I audit log the execution of the su command?
>
> Best regards
> Maria
>
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit