All, I have seen some audit.rules that ignore ALL events involving auid being the unset user ie a rule segment of
-F auid!=4294967295
What are the possible risks of excluding recording events from the unset
auid? Especially since I believe root could override the auid by writing
to /proc/self/loginuid.
Rgds
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
