At a minimum, the audit system should collect any execution attempt
of the chcon
command for all users and root. If the auditd
daemon is configured to use the augenrules
program to read audit rules
during daemon startup (the default), add the following lines to a file with suffix
.rules
in the directory /etc/audit/rules.d
:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged