Re: Filtering out non-interactive users

On Wednesday, January 19, 2011 09:01:55 am PJB wrote: > > That should work unless the is a 32 bit bug everyone has missed or you > > have another rule preventing the logging. If you do cat > > /proc/self/loginuid, do you get a number > 0? Also, if you use > > auid!=4294967295, does that work? > > The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the > filters, when I run 'auditctl -l' the rules are listed, but each one has > 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they are all > tagged with auid 4294967295. Is this proper or did I stumble upon a bug > after all? That is a 32 bit bug. I'm looking at how best to solve this. Probably all variants of uid and gid are affected by this.