From 6ee38ae27c23271084a1baed6ee9023957244b94 Mon Sep 17 00:00:00 2001
From: Pierre-Gronau-ndaal
 <72132223+Pierre-Gronau-ndaal@users.noreply.github.com>
Date: Fri, 28 Jul 2023 07:46:43 +0200
Subject: [PATCH] Update audit.rules

---
 audit.rules | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/audit.rules b/audit.rules
index d590068..cc8e733 100644
--- a/audit.rules
+++ b/audit.rules
@@ -365,6 +365,13 @@
 -w /usr/local/bin/xfreerdp -p x -k T1219_Remote_Access_Tools
 -w /usr/bin/nmap -p x -k susp_activity
 
+## sssd
+-a always,exit -F path=/usr/libexec/sssd/p11_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/krb5_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/ldap_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/selinux_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+-a always,exit -F path=/usr/libexec/sssd/proxy_child -F perm=x -F auid>=500 -F auid!=4294967295 -k T1078_Valid_Accounts
+
 ## T1002 Data Compressed
 
 -w /usr/bin/zip -p x -k T1002_Data_Compressed