auid=0

Monday, 3 August 2015

Comparing the "official" STIG content with the scap-security-guide
content, the former seems to have added corresponding rules for "-F
auid=0" that aren't present in scap-security guide.  i.e. where
scap-security-guide will just have one rule:

-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
auid!=4294967295 -k delete

the official content will have the above plus:

-a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete

Is the addition necessary?  It doesn't seem to be, as the rules caught
root usage of, for example, chmod just fine without it (I had used su; not
sure if there's a difference between that and other ways of being root.) 
I would like to make sure I'm right before asking one group or the other
to delete or add it, respectively.

--Ray

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

auid=0