Why exclude unset auid in STIG rules

Steve Grubb sgrubb at redhat.com
Wed May 11 18:34:51 UTC 2016


On Wednesday, May 11, 2016 06:28:11 PM Wyatt, Curtis wrote:
> I don't understand why the STIG audit rules have -F auid!=4294967295 in it. 
> If auid is unset, why wouldn't you still want to see the events in the
> logs?

When a user logs in, the auid gets set to the uid that they used to login 
with. Daemons are not user sessions and have the loginuid set to  -1. The auid 
representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The 
rules use a directive like this: -F auid>=1000 to trigger on user activity. It 
turns out that would trigger on daemons doing something because 4294967295 is 
greater than 1000. So, we exclude daemons because user activity is the prime 
target.

-Steve




More information about the Linux-audit mailing list