As mentioned in previous e-mail, we want to log what users do as root. I have these two rules, only:
-a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S execve -k rootcmd
-a exit,always -F arch=b64 -F euid=0 -F auid>=0 -F auid!=4294967295 -S execve -k rootcmd
But this line shows up:
node=
grax.sea.marchex.com type=ANOM_ABEND msg=audit(1468426871.752:3282575): auid=811 uid=811 gid=811 ses=12 pid=18504 comm="chromium-browse" reason="seccomp" sig=0 syscall=91 compat=0 ip=0x7f296c759c77 code=0x50001
My guess is that it is because euid is missing; maybe euid=0 is true if euid is null? I could put uid=0, instead of euid ... but that isn't exactly what I want, I think. Is there a way to have the rule require euid actually be 0?
--Chris