Re: auid=0 - Steve Grubb

linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: auid=0
Date: Mon, 03 Aug 2015 14:21:43 -0400	[thread overview]
Message-ID: <8232042.ns10VY4MF9@x2> (raw)
In-Reply-To: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu>

On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote:
> Comparing the "official" STIG content with the scap-security-guide
> content, the former seems to have added corresponding rules for "-F
> auid=0" that aren't present in scap-security guide.  i.e. where
> scap-security-guide will just have one rule:
> 
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
> auid!=4294967295 -k delete
> 
> the official content will have the above plus:
> 
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
> 
> Is the addition necessary?

Does the official STIG allow root logins? If so, I think that is a big mistake 
and should be fixed.  If it does not allow root logins, then the only way I can 
think of having auid to be 0 is for root cron jobs.


> It doesn't seem to be, as the rules caught root usage of, for example, chmod
> just fine without it (I had used su; not sure if there's a difference between
> that and other ways of being root.) I would like to make sure I'm right
> before asking one group or the other to delete or add it, respectively.

Perhaps they consider root cronjobs to be an attack vector?

-Steve

next prev parent reply	other threads:[~2015-08-03 18:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-03 18:11 auid=0 rshaw1
2015-08-03 18:21 ` Steve Grubb [this message]
2015-08-03 18:53   ` auid=0 rshaw1
2015-08-03 19:06     ` auid=0 Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8232042.ns10VY4MF9@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).