Typo? unknown field uid #125

juresaht2 · 2024-01-09T13:14:51Z

I get the error:

augenrules: -F unknown field: uid

I assume this is a typo:
https://github.com/Neo23x0/auditd/blob/master/audit.rules#L464

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse

...should be...

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse

The text was updated successfully, but these errors were encountered:

Neo23x0 · 2024-01-09T20:53:41Z

Thanks

as9k1 · 2024-04-20T15:48:00Z

Hey, I think the new version of this rule is unfortunately broken now, because AUID is now required to be both 0 and >=1000 at the same time, which is never going to happen.

The original version of the rule is working fine in my testing on Ubuntu 22.04. I don't see the "-F unknown field: uid"-issue that @juresaht2 reported (might be a different issue on his end).

Neo23x0 closed this as completed in dfb7898 Jan 9, 2024

as9k1 mentioned this issue Apr 20, 2024

The power_abuse rule is broken after recent change #143

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Typo? unknown field uid #125

Typo? unknown field uid #125

juresaht2 commented Jan 9, 2024

Neo23x0 commented Jan 9, 2024

as9k1 commented Apr 20, 2024 •

edited

Typo? unknown field uid #125

Typo? unknown field uid #125

Comments

juresaht2 commented Jan 9, 2024

Neo23x0 commented Jan 9, 2024

as9k1 commented Apr 20, 2024 • edited

as9k1 commented Apr 20, 2024 •

edited