I was trying out a syscall entry rule that I thought would block audit records from system services/daemons that haven’t had their audit ID (auid) set yet. I’ve tried both:
-a entry,never -S all -F auid=-1
-a entry,never -S all -F auid=4294967295
(4294967295) is the value that shows up in the audit log for these services. I would have thought this rule was saying that at syscall entry (for any system call), don’t generate an audit event if the auid is -1 or 4294967295. It seems to have the opposite effect. Have I missed something? Is this rule not saying what I want?