From mboxrd@z Thu Jan 1 00:00:00 1970 From: rshaw1@umbc.edu Subject: auid=0 Date: Mon, 3 Aug 2015 14:11:31 -0400 Message-ID: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx06.extmail.prod.ext.phx2.redhat.com [10.5.110.30]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t73IBXja019200 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 3 Aug 2015 14:11:33 -0400 Received: from mx3.umbc.edu (mx3.umbc.edu [130.85.25.78]) by mx1.redhat.com (Postfix) with ESMTPS id CB8E5A380E for ; Mon, 3 Aug 2015 18:11:32 +0000 (UTC) Received: from smtp.umbc.edu (localhost [127.0.0.1]) by umbc.edu (mx3.umbc.edu) with ESMTP id t73IBVZw023343 for ; Mon, 3 Aug 2015 14:11:31 -0400 (EDT) Received: from webmail.umbc.edu (webmail2.umbc.edu [130.85.24.67]) by smtp.umbc.edu (mx3-relay.umbc.edu) with ESMTP id t73IBVFp023334 for ; Mon, 3 Aug 2015 14:11:31 -0400 (EDT) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Comparing the "official" STIG content with the scap-security-guide content, the former seems to have added corresponding rules for "-F auid=0" that aren't present in scap-security guide. i.e. where scap-security-guide will just have one rule: -a always,exit -F arch=ARCH -S -F auid>=500 -F auid!=4294967295 -k delete the official content will have the above plus: -a always,exit -F arch=ARCH -S -F auid=0 -k delete Is the addition necessary? It doesn't seem to be, as the rules caught root usage of, for example, chmod just fine without it (I had used su; not sure if there's a difference between that and other ways of being root.) I would like to make sure I'm right before asking one group or the other to delete or add it, respectively. --Ray