From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Why exclude unset auid in STIG rules
Date: Wed, 11 May 2016 14:34:51 -0400
Message-ID: <6776565.2lPe2APqfW@x2>
References: <A08CED02BC8EFC4B89CE0E0B16F995C4389B9DF6@azrc4sazmsg10.rc4s.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <A08CED02BC8EFC4B89CE0E0B16F995C4389B9DF6@azrc4sazmsg10.rc4s.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Wyatt, Curtis" <Curtis.Wyatt@gd-ms.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote:
> I don't understand why the STIG audit rules have -F auid!=4294967295 in it. 
> If auid is unset, why wouldn't you still want to see the events in the
> logs?

When a user logs in, the auid gets set to the uid that they used to login 
with. Daemons are not user sessions and have the loginuid set to  -1. The auid 
representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The 
rules use a directive like this: -F auid>=1000 to trigger on user activity. It 
turns out that would trigger on daemons doing something because 4294967295 is 
greater than 1000. So, we exclude daemons because user activity is the prime 
target.

-Steve