Correct 4.1.15 sudo audit syntax

Signed-off-by: Andrew Davison <[email protected]>
ansible-lockdown · Apr 19, 2024 · 12bbbb2 · 12bbbb2
1 parent 7acc728
commit 12bbbb2
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/templates/audit/99_auditd.rules.j2 b/templates/audit/99_auditd.rules.j2
@@ -66,8 +66,8 @@
 -w /etc/sudoers.d/ -p wa -k scope
 {% endif %}
 {% if amazon2cis_rule_4_1_15 %}
--a exit,always -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
--a exit,always -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
+-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
 {% endif %}
 {% if amazon2cis_rule_4_1_16 %}
 -w /sbin/insmod -p x -k modules