auid=0
Steve Grubb
sgrubb at redhat.com
Mon Aug 3 18:21:43 UTC 2015
On Monday, August 03, 2015 02:11:31 PM rshaw1 at umbc.edu wrote:
> Comparing the "official" STIG content with the scap-security-guide
> content, the former seems to have added corresponding rules for "-F
> auid=0" that aren't present in scap-security guide. i.e. where
> scap-security-guide will just have one rule:
>
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid>=500 -F
> auid!=4294967295 -k delete
>
> the official content will have the above plus:
>
> -a always,exit -F arch=ARCH -S <a bunch of stuff> -F auid=0 -k delete
>
> Is the addition necessary?
Does the official STIG allow root logins? If so, I think that is a big mistake
and should be fixed. If it does not allow root logins, then the only way I can
think of having auid to be 0 is for root cron jobs.
> It doesn't seem to be, as the rules caught root usage of, for example, chmod
> just fine without it (I had used su; not sure if there's a difference between
> that and other ways of being root.) I would like to make sure I'm right
> before asking one group or the other to delete or add it, respectively.
Perhaps they consider root cronjobs to be an attack vector?
-Steve
More information about the Linux-audit
mailing list