From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: audit su - access
Date: Sun, 23 Apr 2017 10:48:20 +0200
Message-ID: <20170423104820.69b5bdeb@ivy-bridge>
References: <136b31dc-2f2a-3ae0-cbac-552bbf69d406@cs.ucy.ac.cy>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <136b31dc-2f2a-3ae0-cbac-552bbf69d406@cs.ucy.ac.cy>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Maria Tsiolakki <tmaria@cs.ucy.ac.cy>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hello,

On Fri, 21 Apr 2017 16:00:54 +0300
Maria Tsiolakki <tmaria@cs.ucy.ac.cy> wrote:
> We have setup the audit log on a Redhat linux 7.3 machine
> We have setup various rules, so far successfully. Our last
> requirement is to have audit log, when a user execute the su - or su
> - root, or sudo su I write the following rule , but it does not work
> -a always,exit -S su

This ^^^ is the problem. The -S switch is for system calls. To see a
list of system calls you can run "ausyscall --dump". Su is a
program and not a syscall. So, you would place a watch on it like this:

-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=200 -F
auid!=4294967295 -F key=su-execution

-Steve

> -F auid>=200 -F auid!=4294967295 -F
> key=su-execution How can I audit  log the execution of the su command?
> 
> Best regards
> Maria
>