...

##- Use of privileged commands (unsuccessful and successful)
## You can run the following commands to generate the rules (don't forget to
## add arch=b32 rules, too):
#find /bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' > priv.rules
#find /sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/bin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#find /usr/sbin -type f -perm -04000 2>/dev/null | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' >> priv.rules
#filecap /bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F arch=b64 -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F arch=b64 -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules
#filecap /usr/sbin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F arch=b64 -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' >> priv.rules

.	Edit
..	Edit
10-base-config.rules	Edit
10-no-audit.rules	Edit
11-loginuid.rules	Edit
12-cont-fail.rules	Edit
12-ignore-error.rules	Edit
20-dont-audit.rules	Edit
21-no32bit.rules	Edit
22-ignore-chrony.rules	Edit
23-ignore-filesystems.rules	Edit
30-nispom.rules	Edit
30-ospp-v42-1-create-failed.rules	Edit
30-ospp-v42-1-create-success.rules	Edit
30-ospp-v42-2-modify-failed.rules	Edit
30-ospp-v42-2-modify-success.rules	Edit
30-ospp-v42-3-access-failed.rules	Edit
30-ospp-v42-3-access-success.rules	Edit
30-ospp-v42-4-delete-failed.rules	Edit
30-ospp-v42-4-delete-success.rules	Edit
30-ospp-v42-5-perm-change-failed.rules	Edit
30-ospp-v42-5-perm-change-success.rules	Edit
30-ospp-v42-6-owner-change-failed.rules	Edit
30-ospp-v42-6-owner-change-success.rules	Edit
30-ospp-v42.rules	Edit
30-pci-dss-v31.rules	Edit
30-stig.rules	Edit
31-privileged.rules	Edit
32-power-abuse.rules	Edit
40-local.rules	Edit
41-containers.rules	Edit
42-injection.rules	Edit
43-module-load.rules	Edit
44-installers.rules	Edit
70-einval.rules	Edit
71-networking.rules	Edit
99-finalize.rules	Edit
README-rules	Edit