On a server running RHEL 7.2 the audit rules fail to load due to an error on this rule:

 

-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=10.2.5.b-elevated-privs-session

 

From what I have found it seems “exe” may not be a valid field on this specific O.S. – is this correct?  Does anyone have any recommendations on how to track elevated privileges for all RHEL 6/7 systems?