Closed bgro closed 12 months ago
Question It seems that the configuration used by this role does not quite capture what CIS wants to have captured.
CIS wants that actions as another user are always logged and proposes
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation -a always,exit -F arch=b32 -C euid!=uid -F auid!=unset -S execve -k user_emulation
This role, however, is "only" interested into actions as root user:
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions -a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
Shouldn't we rather use what CIS proposes for this rule?
hi @bgro
This issue was merged to devel a couple of weeks ago. I will close this Issue, if this does not resolve your issue please reopen.
Many thanks as always
uk-bolly
Question It seems that the configuration used by this role does not quite capture what CIS wants to have captured.
CIS wants that actions as another user are always logged and proposes
This role, however, is "only" interested into actions as root user:
Shouldn't we rather use what CIS proposes for this rule?