From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Filtering out non-interactive users
Date: Wed, 19 Jan 2011 09:33:30 -0500
Message-ID: <201101190933.30392.sgrubb@redhat.com>
References: <20110114163701.GA31627@monolith>
	<201101161000.11655.sgrubb@redhat.com>
	<20110119140155.GA4133@monolith>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20110119140155.GA4133@monolith>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, January 19, 2011 09:01:55 am PJB wrote:
> > That should work unless the is a 32 bit bug everyone has missed or you
> > have another  rule preventing the logging. If you do cat
> > /proc/self/loginuid, do you get a number > 0? Also, if you use
> > auid!=4294967295, does that work?
> 
> The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the
> filters, when I run 'auditctl -l' the rules are listed, but each one has
> 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all
> tagged with auid 4294967295. Is this proper or did I stumble upon a bug
> after all?

That is a 32 bit bug. I'm looking at how best to solve this. Probably all variants of 
uid and gid are affected by this.

-Steve