From mboxrd@z Thu Jan  1 00:00:00 1970
From: PJB <pjb@decafgeek.org>
Subject: Re: Filtering out non-interactive users
Date: Wed, 19 Jan 2011 09:48:25 -0500
Message-ID: <20110119144824.GA7022@monolith>
References: <20110114163701.GA31627@monolith>
	<201101161000.11655.sgrubb@redhat.com> <20110119140155.GA4133@monolith>
	<201101190933.30392.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com
	[10.5.110.10])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id p0JEmgna022907
	for <linux-audit@redhat.com>; Wed, 19 Jan 2011 09:48:42 -0500
Received: from vms173017pub.verizon.net (vms173017pub.verizon.net
	[206.46.173.17])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0JEmV2H013340
	for <linux-audit@redhat.com>; Wed, 19 Jan 2011 09:48:31 -0500
Received: from monolith ([unknown] [72.94.244.37]) by vms173017.mailsrvcs.net
	(Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16
	2009)) with ESMTPA id <0LF90081QYGPCED3@vms173017.mailsrvcs.net> for
	linux-audit@redhat.com; Wed, 19 Jan 2011 08:48:27 -0600 (CST)
Content-disposition: inline
In-reply-to: <201101190933.30392.sgrubb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wed, Jan 19, 2011 at 09:33:30AM -0500, Steve Grubb [sgrubb@redhat.com] wrote:
> On Wednesday, January 19, 2011 09:01:55 am PJB wrote:
> > > That should work unless the is a 32 bit bug everyone has missed or you
> > > have another  rule preventing the logging. If you do cat
> > > /proc/self/loginuid, do you get a number > 0? Also, if you use
> > > auid!=4294967295, does that work?
> > 
> > The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the
> > filters, when I run 'auditctl -l' the rules are listed, but each one has
> > 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all
> > tagged with auid 4294967295. Is this proper or did I stumble upon a bug
> > after all?
> 
> That is a 32 bit bug. I'm looking at how best to solve this. Probably all variants of 
> uid and gid are affected by this.

I was afraid you would say that! Would it be a bug in the auditd userspace
programs or in the kernel code? I assume it's the former?

Patrick