From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auid=0 Date: Mon, 03 Aug 2015 14:21:43 -0400 Message-ID: <8232042.ns10VY4MF9@x2> References: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote: > Comparing the "official" STIG content with the scap-security-guide > content, the former seems to have added corresponding rules for "-F > auid=0" that aren't present in scap-security guide. i.e. where > scap-security-guide will just have one rule: > > -a always,exit -F arch=ARCH -S -F auid>=500 -F > auid!=4294967295 -k delete > > the official content will have the above plus: > > -a always,exit -F arch=ARCH -S -F auid=0 -k delete > > Is the addition necessary? Does the official STIG allow root logins? If so, I think that is a big mistake and should be fixed. If it does not allow root logins, then the only way I can think of having auid to be 0 is for root cron jobs. > It doesn't seem to be, as the rules caught root usage of, for example, chmod > just fine without it (I had used su; not sure if there's a difference between > that and other ways of being root.) I would like to make sure I'm right > before asking one group or the other to delete or add it, respectively. Perhaps they consider root cronjobs to be an attack vector? -Steve