Re: Filtering out non-interactive users

On Wed, Jan 19, 2011 at 09:33:30AM -0500, Steve Grubb [sgrubb(a)redhat.com] wrote: > On Wednesday, January 19, 2011 09:01:55 am PJB wrote: > > > That should work unless the is a 32 bit bug everyone has missed or > > > you have another rule preventing the logging. If you do cat > > > /proc/self/loginuid, do you get a number > 0? Also, if you use > > > auid!=4294967295, does that work? > > > > The loginuid is 4294967295. If I pass '-F auid!=4294967295' into the > > filters, when I run 'auditctl -l' the rules are listed, but each one > > has 'auid=2147483647 (0x7fffffff)'. I get log entries then, but they > > are all tagged with auid 4294967295. Is this proper or did I stumble > > upon a bug after all? > > That is a 32 bit bug. I'm looking at how best to solve this. Probably all > variants of uid and gid are affected by this. I was afraid you would say that! Would it be a bug in the auditd userspace programs or in the kernel code? I assume it's the former?