auid=0

Steve Grubb sgrubb at redhat.com
Mon Aug 3 18:21:43 UTC 2015


On Monday, August 03, 2015 02:11:31 PM rshaw1 at umbc.edu wrote:
> Comparing the "official" STIG content with the scap-security-guide
> content, the former seems to have added corresponding rules for "-F
> auid=0" that aren't present in scap-security guide.  i.e. where
> scap-security-guide will just have one rule:
> 
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
> auid!=4294967295 -k delete
> 
> the official content will have the above plus:
> 
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
> 
> Is the addition necessary?

Does the official STIG allow root logins? If so, I think that is a big mistake 
and should be fixed.  If it does not allow root logins, then the only way I can 
think of having auid to be 0 is for root cron jobs.


> It doesn't seem to be, as the rules caught root usage of, for example, chmod
> just fine without it (I had used su; not sure if there's a difference between
> that and other ways of being root.) I would like to make sure I'm right
> before asking one group or the other to delete or add it, respectively.

Perhaps they consider root cronjobs to be an attack vector?

-Steve




More information about the Linux-audit mailing list