Re: Why exclude unset auid in STIG rules
On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote:
I don't understand why the STIG audit rules have -F
auid!=4294967295 in it.
If auid is unset, why wouldn't you still want to see the events in the
logs?
When a user logs in, the auid gets set to the uid that they used to login
with. Daemons are not user sessions and have the loginuid set to -1. The auid
representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The
rules use a directive like this: -F auid>=1000 to trigger on user activity. It
turns out that would trigger on daemons doing something because 4294967295 is
greater than 1000. So, we exclude daemons because user activity is the prime
target.
-Steve