You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
...should be...
## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
The text was updated successfully, but these errors were encountered:
Hey, I think the new version of this rule is unfortunately broken now, because AUID is now required to be both 0 and >=1000 at the same time, which is never going to happen.
The original version of the rule is working fine in my testing on Ubuntu 22.04. I don't see the "-F unknown field: uid"-issue that @juresaht2 reported (might be a different issue on his end).
I get the error:
I assume this is a typo:
https://github.com/Neo23x0/auditd/blob/master/audit.rules#L464
...should be...
The text was updated successfully, but these errors were encountered: