From 57bd6619e6b8d860ff4f773c66c04b04511d1043 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 21 Apr 2024 07:41:43 +0200
Subject: [PATCH] fix: privilege abuse rule

https://github.com/Neo23x0/auditd/issues/143
---
 audit.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/audit.rules b/audit.rules
index 41b7e22..d973b98 100644
--- a/audit.rules
+++ b/audit.rules
@@ -513,7 +513,7 @@
 
 ## Privilege Abuse
 ### The purpose of this rule is to detect when an admin may be abusing power by looking in user's home dir.
--a always,exit -F dir=/home -F auid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
+-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=-1 -C auid!=obj_uid -k power_abuse
 
 # Socket Creations
 # will catch both IPv4 and IPv6