Why exclude unset auid in STIG rules
Wyatt, Curtis
Curtis.Wyatt at gd-ms.com
Wed May 11 18:40:52 UTC 2016
Ok, so the assumption is that daemons are not compromised? In other words, if a daemon is compromised (or could be compromised), wouldn't you want to monitor it's behavior as well?
-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Wednesday, May 11, 2016 11:35 AM
When a user logs in, the auid gets set to the uid that they used to login with. Daemons are not user sessions and have the loginuid set to -1. The auid representation is an unsigned 32 bit integer. So, -1 becomes 4294967295. The rules use a directive like this: -F auid>=1000 to trigger on user activity. It turns out that would trigger on daemons doing something because 4294967295 is greater than 1000. So, we exclude daemons because user activity is the prime target.
More information about the Linux-audit
mailing list