At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd
daemon is
configured to use the augenrules
program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules
:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid>=1000 -F auid!=unset -F key=privileged