Question regarding rule 4.1.3.2 "Ensure actions as another user are always logged"

[bgro]

Question It seems that the configuration used by this role does not quite capture what CIS wants to have captured.

CIS wants that actions as another user are always logged and proposes

-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation                   
-a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation    

This role, however, is "only" interested into actions as root user:

-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions

Shouldn't we rather use what CIS proposes for this rule?

[uk-bolly]

hi @bgro

This issue was merged to devel a couple of weeks ago. I will close this Issue, if this does not resolve your issue please reopen.

Many thanks as always

uk-bolly