Skip to content

Commit

Permalink
fix: privilege abuse rule
Browse files Browse the repository at this point in the history 
#143
  • Loading branch information
@Neo23x0
Neo23x0 committed Apr 21, 2024
1 parent 36a7c52 commit 57bd661
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion audit.rules
View file
Original file line number Diff line number Diff line change
Expand Up @@ -513,7 +513,7 @@

## Privilege Abuse
### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
-a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse

# Socket Creations
# will catch both IPv4 and IPv6
Expand Down

0 comments on commit 57bd661

Please sign in to comment.