Open borross opened 2 months ago
for correct logging add pls under the section ## root ssh key tampering such value -w /root/.ssh/authorized_keys -p wa -k rootkey
-w /root/.ssh/authorized_keys -p wa -k rootkey
Commands for check:
ssh-keygen -t rsa -f test_key cat test_key.pub >> /root/.ssh/authorized_keys
Log sample:
type=PATH msg=audit(1723720092.480:12186438): item=0 name="/root/.ssh/authorized_keys" nametype=UNKNOWN cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
what about:
-a always,exit -F arch=b32 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey -a always,exit -F arch=b64 -F dir=/root/.ssh/authorized_keys -F perm=wa -F key=rootkey
for correct logging add pls under the section ## root ssh key tampering such value
-w /root/.ssh/authorized_keys -p wa -k rootkey
Commands for check:
Log sample: