/usr/share/audit/sample-rules
## The purpose of this rule is to detect when an admin may be abusing power ## by looking in user's home dir. -a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=unset -C auid!=obj_uid -F key=power-abuse
.
Edit
..
Edit
10-base-config.rules
Edit
10-no-audit.rules
Edit
11-loginuid.rules
Edit
12-cont-fail.rules
Edit
12-ignore-error.rules
Edit
20-dont-audit.rules
Edit
21-no32bit.rules
Edit
22-ignore-chrony.rules
Edit
23-ignore-filesystems.rules
Edit
30-nispom.rules
Edit
30-ospp-v42-1-create-failed.rules
Edit
30-ospp-v42-1-create-success.rules
Edit
30-ospp-v42-2-modify-failed.rules
Edit
30-ospp-v42-2-modify-success.rules
Edit
30-ospp-v42-3-access-failed.rules
Edit
30-ospp-v42-3-access-success.rules
Edit
30-ospp-v42-4-delete-failed.rules
Edit
30-ospp-v42-4-delete-success.rules
Edit
30-ospp-v42-5-perm-change-failed.rules
Edit
30-ospp-v42-5-perm-change-success.rules
Edit
30-ospp-v42-6-owner-change-failed.rules
Edit
30-ospp-v42-6-owner-change-success.rules
Edit
30-ospp-v42.rules
Edit
30-pci-dss-v31.rules
Edit
30-stig.rules
Edit
31-privileged.rules
Edit
32-power-abuse.rules
Edit
40-local.rules
Edit
41-containers.rules
Edit
42-injection.rules
Edit
43-module-load.rules
Edit
44-installers.rules
Edit
70-einval.rules
Edit
71-networking.rules
Edit
99-finalize.rules
Edit
README-rules
Edit