Closed james-stocks closed 6 years ago
The current CIS rule set in this cookbook includes:
# CIS 4.1.14 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
For RHEL6, the CIS recommendation (see here) has auid>=500
auid>=500
# grep delete /etc/audit/audit.rules -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
The current CIS rule set in this cookbook includes:
For RHEL6, the CIS recommendation (see here) has
auid>=500