inspec/test/fixtures/cmd/auditctl
Trevor Vaughan 21edc712bd
Fix auditd resource processing of action and list
Per auditctl(8), the -a option can have either list,action or
action,list. This PR matches against valid actions for the action field
and passed the remainder off to the list field.

Closes #4664

Signed-off-by: Trevor Vaughan <tvaughan@onyxpoint.com>
2019-12-12 17:38:47 -05:00

8 lines
528 B
Text

-a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access
-a always,exit -F arch=b32 -S open,openat -F exit=-EPERM -F key=access
-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 f24!=0 -F key=perm_mod
-a always,exit -S all -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-a exit,always -S all -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -F key=privileged
-w /etc/ssh/sshd_config -p rwxa -k CFG_sshd_config
-w /etc/sudoers -p wa
-w /etc/private-keys -p x