mirror of
https://github.com/inspec/inspec
synced 2024-12-11 13:54:07 +00:00
21edc712bd
Per auditctl(8), the -a option can have either list,action or action,list. This PR matches against valid actions for the action field and passed the remainder off to the list field. Closes #4664 Signed-off-by: Trevor Vaughan <tvaughan@onyxpoint.com>
8 lines
528 B
Text
8 lines
528 B
Text
-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access
|
|
-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access
|
|
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod
|
|
-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
|
|
-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
|
|
-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config
|
|
-w /etc/sudoers -p wa
|
|
-w /etc/private-keys -p x
|