From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Significant performance hit auditing system account actions?
Date: Thu, 14 May 2015 16:04:41 -0400
Message-ID: <2777231.gv2IbXrrAx@x2>
References: <CACv9p5przx6owrT+4Do-eo_4tKpKf-rxLz4D7XO7LzjYm1eViw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <CACv9p5przx6owrT+4Do-eo_4tKpKf-rxLz4D7XO7LzjYm1eViw@mail.gmail.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, May 14, 2015 03:24:16 PM leam hall wrote:
> Some security requirements include auditing events by users and root. So
> the line might include something like:
> 
>   -F auid=0 -F auid>=500 -F auid!=4294967295

The fields will be "anded". You cannot simultaneously have auid of 0 and >=500. 
So, you won't get any events.

> My question is, if you don't include that phrase will the audit system
> still get everything and not incur a serious performance hit. Effectively
> it will audit everything for users 1-499, the usual system accounts.

Typically the requirements read as audit root user actions - which is covered 
by TTY auditing. Everything else is covered by the other rules.

-Steve