auditd rule error
On a server running RHEL 7.2 the audit rules fail to load due to an error on this rule:
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F
key=10.2.5.b-elevated-privs-session
From what I have found it seems "exe" may not be a valid
field on this specific O.S. - is this correct? Does anyone have any recommendations on
how to track elevated privileges for all RHEL 6/7 systems?
Attachments:
- attachment.html (text/html — 2.2 KB)