Question on the unset user in audit
All,
I have seen some audit.rules that ignore ALL events involving auid being
the unset user ie a rule segment of
-F auid!=4294967295
What are the possible risks of excluding recording events from the unset
auid? Especially since I believe root could override the auid by writing
to /proc/self/loginuid.
Rgds