Re: httpd auid = -1
On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
I’ve noticed that the httpd process on a CentOS 7.7 system I am
working
with is running with an Audit ID of -1. Example ID values are:
auid=4294967295
uid=48
gid=48
...
So if use the standard filter "-F auid!=-1” in the audit rules I do not see
httpd activity.
Is this common?
Yes, this is common. Most people are interested in the actions that people
take on the machine rather than normal system functioning.
How do I change the auid to something else, so I can capture the
httpd
activity in the audit log?
A couple of ways.
1) remove the auid!=-1. That will get you all daemons.
2) Use audit by executable rules:
-a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F key=httpd-exec
-Steve
Example audit line:
type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720 items=1
ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
exe="/usr/sbin/httpd" key=(null)