From 4c4c1e52d993a85b1305bc335842b39cdfbcded1 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Tue, 29 Aug 2023 22:06:31 +0200
Subject: [PATCH 1/2] Update audit.rules System Security Services Daemon (SSSD)

---
 audit.rules | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/audit.rules b/audit.rules
index 03ed184..011e398 100644
--- a/audit.rules
+++ b/audit.rules
@@ -334,12 +334,19 @@
 -w /usr/local/bin/xfreerdp -p x -k susp_activity
 -w /usr/bin/nmap -p x -k susp_activity
 
-## sssd
--a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
--a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+## System Security Services Daemon (SSSD)
+### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
+### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_authentication_and_authorization_in_rhel/index
+
+-w /etc/nsswitch.conf -p x -k T1078_Valid_Accounts
+-w /etc/sssd/sssd.conf -p x -k T1078_Valid_Accounts
+-w /etc/openldap/ldap.conf -p x -k T1078_Valid_Accounts
+
+-a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
 
 ## T1002 Data Compressed
 

From db1186d43712a687927b20ac556302a395c9f3f1 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Sun, 4 Feb 2024 18:25:14 +0100
Subject: [PATCH 2/2] Update audit.rules sssd

---
 audit.rules | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/audit.rules b/audit.rules
index 011e398..94a0472 100644
--- a/audit.rules
+++ b/audit.rules
@@ -338,9 +338,9 @@
 ### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services
 ### https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/configuring_authentication_and_authorization_in_rhel/index
 
--w /etc/nsswitch.conf -p x -k T1078_Valid_Accounts
--w /etc/sssd/sssd.conf -p x -k T1078_Valid_Accounts
--w /etc/openldap/ldap.conf -p x -k T1078_Valid_Accounts
+-w /etc/nsswitch.conf -p wa -k T1078_Valid_Accounts
+-w /etc/sssd/sssd.conf -p wa -k T1078_Valid_Accounts
+-w /etc/openldap/ldap.conf -p wa -k T1078_Valid_Accounts
 
 -a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts
 -a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=-1 -k T1078_Valid_Accounts