I'm going through the RH415 course on RHLS. RHEL 7.5
Section 6.6 - "Guided Exercise: Writing Custom Audit Rules"
The auditctl command in step 2.1 doesn't add a watch for directory /bin but for a symlink /bin which points to /usr/bin. Only the symlink file is watched. Due to this fact the ausearch command in step 2.2 doesn't return the audit event associated with the execution of /bin/true. It only returned the event triggered by the addition of the new rule - it is also shown on the output in the course (type=CONFIG_CHANGE).
The correct command to add a watch (in 2.1) should be:
auditctl -w /usr/bin/ -p x -F "auid>=500" -F "euid=0" -k privileged-execution
Note the change of /bin to /usr/bin which is the directory containing executable "true".
thanks for reporting this. I will get in touch wit the RH415 team to let them know the issue.
Thanks for jumping in - this is actually a known bug and it' s most probably going to be addressed in the next update.
I found another issue in the same course - in section 5.4 "Guided Exercise: Modifying the PAM Configuration", step 2.6 - logical expression "!root&student" isn't a correct expression to exclude users root and student. The correct expression should be "!root&!student" but it won't work. The expression provided in the course works but only because there's a bug in pam_time. I filed a bug report here: https://github.com/linux-pam/linux-pam/issues/124.