On Wednesday, July 13, 2016 9:27:25 AM EDT Chris Nandor wrote: > As mentioned in previous e-mail, we want to log what users do as root. I > have these two rules, only: > > -a exit,always -F arch=b32 -F euid=0 -F auid>=0 -F auid!=4294967295 -S > execve -k rootcmd > -a exit,always -F arch=b64 -F euid=0 -F auid>=0 -F auid!=4294967295 -S > execve -k rootcmd > > But this line shows up: > > node=grax.sea.marchex.com type=ANOM_ABEND > msg=audit(1468426871.752:3282575): auid=811 uid=811 gid=811 ses=12 > pid=18504 comm="chromium-browse" reason="seccomp" sig=0 syscall=91 compat=0 > ip=0x7f296c759c77 code=0x50001 There are two kinds of events. There are the ones that are triggered by the rules you load, and there are rules that are hardwired to be logged because something significant happened. In this case the seccomp filter killed chromium-browse because it violated policy. It has nothing to do with your rules which have a rootcmd key. To find the events triggered by your rule, use: ausearch --start today -k rootcmd -i -Steve > My guess is that it is because euid is missing; maybe euid=0 is true if > euid is null? I could put uid=0, instead of euid ... but that isn't > exactly what I want, I think. Is there a way to have the rule require euid > actually be 0? > > --Chris