I was trying out a syscall entry rule that I thought would block audit records from system services/daemons that haven’t had their audit ID (auid) set yet.  I’ve tried both:

 

-a entry,never -S all -F auid=-1

AND

-a entry,never -S all -F auid=4294967295

 

(4294967295) is the value that shows up in the audit log for these services.  I would have thought this rule was saying that at syscall entry (for any system call), don’t generate an audit event if the auid is -1 or 4294967295.  It seems to have the opposite effect.  Have I missed something?  Is this rule not saying what I want?

 

--Tad Taylor