Initial commit

[ta/infra-ansible.git] / roles / audit / templates / 32-power-abuse.rules.j2

diff --git a/roles/audit/templates/32-power-abuse.rules.j2 b/roles/audit/templates/32-power-abuse.rules.j2
new file mode 100644 (file)
index 0000000..9e02835
--- /dev/null
+++ b/roles/audit/templates/32-power-abuse.rules.j2
@@ -0,0 +1,3 @@
+## The purpose of this rule is to detect when an admin may be abusing power
+## by looking in user's home dir.
+-a always,exit -F dir=/home -F uid=0 -C auid!=obj_uid -F key=admin-abuse