I want to achieve the following use case
Restrict a particular user from using the commands passwd, init, reboot and if they are executed the user should be auto disconnected and an email should be sent to the admin with the user name and the command trying to be executed
I have imported the rule RL-RESTRICT-COMMANDS and modified to be used on for the user (prabhat) (screenshot attached)
the script arguments are like
Name : policy
path default all:log
path /usr/bin/passwd !exec:log=9
path /sbin/init !exec:log=9
path /sbin/shutdown !exec:log=9
path /sbin/reboot !exec:log=9
Also in the command risk I have added the host and the user with the commands with the Auto disconnect checkbox checked.
Logging into the Unix box with the user prabhat and executing the command passwd I am able to do the same. So the use case is not being achieved.
Please suggest where I am going wrong